Oracle injection
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Serve this post a wayback machine copy of the deleted post from .
Using Oracle to do Out of Band HTTP and DNS requests is well documented but as a means of exfiltrating SQL data in injections. We can always modify these techniques/functions to do other SSRF/XSPA.
Installing Oracle can be really painful, especially if you want to set up a quick instance to try out commands. My friend and colleague at , , pointed me to that allowed me to setup an instance on a t2.large AWS Ubuntu machine and Docker.
I ran the docker command with the --network="host"
flag so that I could mimic Oracle as an native install with full network access, for the course of this blogpost.
In order to find any packages and functions that support a host and port specification, I ran a Google search on the . Specifically,
The search returned the following results (not all can be used to perform outbound network)
DBMS_NETWORK_ACL_ADMIN
UTL_SMTP
DBMS_XDB
DBMS_SCHEDULER
DBMS_XDB_CONFIG
DBMS_AQ
UTL_MAIL
DBMS_AQELM
DBMS_NETWORK_ACL_UTILITY
DBMS_MGD_ID_UTL
UTL_TCP
DBMS_MGWADM
DBMS_STREAMS_ADM
UTL_HTTP
In any case, let’s take a look at some of the packages that we have discovered and listed above.
DBMS_LDAP.INIT
The DBMS_LDAP
package allows for access of data from LDAP servers. The init()
function initializes a session with an LDAP server and takes a hostname and port number as an argument.
This function has been documented before to show exfiltration of data over DNS, like below
However, given that the function accepts a hostname and a port number as arguments, you can use this to work like a port scanner as well.
Here are a few examples
A ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.
shows that the port is closed while a session value points to the port being open.
UTL_SMTP
A crude example is shown below with the UTL_SMTP.OPEN_CONNECTION
function, with a timeout of 2 seconds
A ORA-29276: transfer timeout
shows port is open but no SMTP connection was estabilished while a ORA-29278: SMTP transient error: 421 Service not available
shows that the port is closed.
UTL_TCP
Interestingly, due to the ability to craft raw TCP requests, this package can also be used to query the Instance meta-data service of all cloud providers as the method type and additional headers can all be passed within the TCP request.
UTL_HTTP and Web Requests
You could additionally, use this to perform some rudimentary port scanning as well with queries like
A ORA-12541: TNS:no listener
or a TNS:operation timed out
is a sign that the TCP port is closed, whereas a ORA-29263: HTTP protocol error
or data is a sign that the port is open.
This crude search obviously skips packages like DBMS_LDAP
(which allows passing a hostname and port number) as simply points you to a . Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.
The UTL_SMTP
package is designed for sending e-mails over SMTP. The example provided on the . For us, however, the interesting thing is with the ability to provide a host and port specification.
The UTL_TCP
package and its procedures and functions allow . If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.
The example . We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.
Perhaps the most common and widely documented technique in every Out of Band Oracle SQL Injection tutorial out there is the . This package is defined by the documentation as - The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.
Another package I have used in the past with varied success is the that allows you to interact with a URL and provides support for the HTTP protocol. The GETCLOB()
method is used to fetch the GET response from a URL as a [select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.