User Tools

Site Tools


hacking:sql_injection_cheat_sheet_oracle

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
hacking:sql_injection_cheat_sheet_oracle [2020/04/01 11:22] peterhacking:sql_injection_cheat_sheet_oracle [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 64: Line 64:
 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- returns 2 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- returns 2
 </code>| </code>|
-|Avoiding Quotes|SELECT chr(65) || chr(66) FROM dual; -- returns AB|+|Avoiding Quotes|<nowiki>SELECT chr(65) || chr(66) FROM dual; -- returns AB</nowiki>|
 |Time Delay|<code> |Time Delay|<code>
 BEGIN DBMS_LOCK.SLEEP(5); END; -- priv, can't seem to embed this in a SELECT BEGIN DBMS_LOCK.SLEEP(5); END; -- priv, can't seem to embed this in a SELECT
Line 76: Line 76:
 SELECT UTL_HTTP.REQUEST('http://google.com&#39;) FROM dual; SELECT UTL_HTTP.REQUEST('http://google.com&#39;) FROM dual;
 </code>| </code>|
-|Command Execution | +|Command Execution |<code>
  
 [[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|Java]] can be used to execute commands if it's installed. [[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|Java]] can be used to execute commands if it's installed.
Line 82: Line 82:
 [[http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql|ExtProc]] can sometimes be used too, though it normally failed for me. :-( [[http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql|ExtProc]] can sometimes be used too, though it normally failed for me. :-(
 </code>| </code>|
-|Local File Access| +|Local File Access|<code>
- +
 [[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|UTL_FILE]] can sometimes be used. Check that the following is non-null: [[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|UTL_FILE]] can sometimes be used. Check that the following is non-null:
 SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir'; SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';
Line 99: Line 98:
 SYSTEM SYSTEM
 SYSAUX SYSAUX
-</code>+</code>|
  
 ---- ----
hacking/sql_injection_cheat_sheet_oracle.1585740152.txt.gz · Last modified: 2020/07/15 09:30 (external edit)

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki