GROUP_CONCAT() for Oracle blind SQL injection
GROUP_CONCAT() is a MySQL function that returns a string formed by concatenating multiple rows of a table.
This function is very useful in blind SQL injection attacks where you often need to extract multiple rows from a table in a single query. Then you will probably obtain this data through an out-of-band channel.
Unfortunately, Oracle does not have such a function. So what do you do if you need to extract multiple rows in a single query?
After a few hours of searching I have found a solution that works:
Assuming you have a table called mytable which has a column called mycolumn, you can obtain a concatenation of all the values from mycolumn by using this query:
SELECT LTRIM(MAX(SYS_CONNECT_BY_PATH(mycolumn,',')) KEEP (DENSE_RANK LAST ORDER BY curr),',') AS xyz FROM (SELECT mycolumn, rownum AS curr, rownum -1 AS prev FROM mytable WHERE mycolumn <= 'C02BC00555') CONNECT BY prev = PRIOR curr START WITH curr = 1
This worked for me in Oracle 10g but I'm pretty sure it works for other versions too.
Cheers,
July 6, 2010 at 8:49 pm
Sql injection tools pangolin liqidis havij jsky safe3 m4x Sqlihelper
July 9, 2010 at 9:21 am
Of course, there are many tools but they do not always do what you need.
That is why manual testing is mandatory for a quality pentest.