This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
SQL Injection Cookbook - Oracle
Database objects
Tables
List table names
List columns for a specific table
View table permissions
Change table permissions
Create a table
Stored procedures or functions
List stored procedures or functions
Parameters for a stored procedure or function
Source code of a stored procedure or function
Create a stored procedure or function
System data
Users
Identify current user
List of database users
List of database administrators
Database user permissions
Create a new user
Change a user password
Delete a user
Database server
View database server settings
Change database server settings
View database server processes
Kill database server process
Host Operating System
Operating System version
OS environment variables
Execute OS shell command
Read file contents
Arbitrary file writes
File uploads
Queries
Strings
Valid string delimiters
String concatenation
String-based queries with no quote characters
String concatenation is performed by a double pipe (||).
SELECT
FirstName || ' ' || LastName
FROM
People
Query syntax
Result row count limiters
Acceptable whitespace
Tableless queries
Tableless queries aren’t supported in Oracle per se. However, a special table named "Dual" allows for similar functionality. This doesn't help much for filter evasion since it still matches the standard SELECT syntax.
SELECT
'This is a string'
FROM
Dual
Query comments
Command delimiters
Set operators
Set operators are used to combine the results from two different queries. The number of columns and order of column types must be identical for both queries. The general syntax is
SELECT
fname, lname
FROM
employees
SET_OPERATOR
SELECT
fname, lname
FROM
customers
UNION
Returns the rows from both queries, removing duplicates
UNION ALL
Returns the rows from both queries, duplicates are not removed.
INTERSECT
Returns the rows that are found in the results of both queries.
MINUS
Returns only the rows in the first query that are not found in the second query.
Special queries
Single column queries
Single row queries
Functions, etc.
Data type casting
Query output to file
Attacks
Breaking out of a query
WHERE clauses
FROM clauses
Other parts of a SELECT
INSERT statements
UPDATE statements
Inference and timing attacks
SQL Tautologies
A tautology is something that is inherently true. SQL tautologies are used when you want to force a query to return all results, basically ignoring any WHERE conditionals. Simple tautologies like " OR 1=1" are useful, but may be filtered out by some security tools. The table below offers a number of tautologies that filter writers (even on well known commercial tools) may not have considered.
| Statement | Numeric
(1 = 1) |
String
('a' = 'a') |
Binary
(0x1 = 0x1) |
|---|---|---|---|
| a = a | X | X | X |
| a ^= b | X | X | X |
| a < b | X | X | X |
| b > a | X | X | X |
| a <= b | X | X | X |
| b >= a | X | X | X |
| a <! b | X | X | X |
| b >! a | X | X | X |
| a operator ANY (a, b, c, d)
where operator is any of the first 9 listed comparison operators; for the statement to be true, the operator must return true for a and least one of the items in the list |
X | X | X |
| a operator SOME (a, b, c, d)
SOME is a synonym of ANY |
X | X | X |
| a operator ALL (a, b, c, d)
similar to ANY, except that the operator must return true for a and all of the items in the list |
X | X | X |
| a IN (c, b, a) | X | X | X |
| a NOT IN (d, c, b) | X | X | X |
| b BETWEEN a AND c | X | X | X |
| a NOT BETWEEN c AND d | X | X | X |
| a LIKE a | X | ||
| a NOT LIKE b | X |
