Hackzzz - The Notebook

SQL injection attack, listing the database contents on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle

Level: Practitioner

Now let's apply all our knowledge dumping an Oracle database.

Remember that because is oracle is some different logic.
Here we see all the tables on the DB that we can use.

We can filter the contents by using a user from the DB.
To list the Users, use the following payload in the image.

Now use the user to filter by it.

Im seeing an interesting columns so lets get its contents.

Here I used this little trick to represent the content more fancy and get the contents of Users_XXXX.
The difference between other databases from this is that you have different commands and its more special because of that.

PreviousSQL injection attack, listing the database contents on non-Oracle databases NextBlind SQL injection with conditional responses

Last updated 1 year ago