GROUP_CONCAT() for Oracle blind SQL injection

GROUP_CONCAT() is a MySQL function that returns a string formed by concatenating multiple rows of a table.

This function is very useful in blind SQL injection attacks where you often need to extract multiple rows from a table in a single query. Then you will probably obtain this data through an out-of-band channel.

Unfortunately, Oracle does not have such a function. So what do you do if you need to extract multiple rows in a single query?

After a few hours of searching I have found a solution that works:

Assuming you have a table called mytable which has a column called mycolumn, you can obtain a concatenation of all the values from mycolumn by using this query:

SELECT LTRIM(MAX(SYS_CONNECT_BY_PATH(mycolumn,',')) KEEP (DENSE_RANK LAST ORDER BY curr),',') AS xyz FROM (SELECT mycolumn, rownum AS curr, rownum -1 AS prev FROM mytable WHERE mycolumn <= 'C02BC00555') CONNECT BY prev = PRIOR curr START WITH curr = 1

This worked for me in Oracle 10g but I'm pretty sure it works for other versions too.



2 Responses to “GROUP_CONCAT() for Oracle blind SQL injection”

  1. Sql injection tools pangolin liqidis havij jsky safe3 m4x Sqlihelper

    • stormsecurity Says:

      Of course, there are many tools but they do not always do what you need.
      That is why manual testing is mandatory for a quality pentest.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: