SQL Injection Cookbook - Oracle

=Database objects=

Create a stored procedure or function
=System data=

File uploads
=Queries=

String-based queries with no quote characters
String concatenation is performed by a double pipe (||). SELECT FirstName || ' ' || LastName FROM People

Tableless queries
Tableless queries aren’t supported in Oracle per se. However, a special table named "Dual" allows for similar functionality. This doesn't help much for filter evasion since it still matches the standard SELECT syntax. SELECT 'This is a string' FROM Dual

Set operators
Set operators are used to combine the results from two different queries. The number of columns and order of column types must be identical for both queries. The general syntax is

SELECT fname, lname FROM employees SET_OPERATOR SELECT fname, lname FROM customers

UNION Returns the rows from both queries, removing duplicates

UNION ALL Returns the rows from both queries, duplicates are not removed.

INTERSECT Returns the rows that are found in the results of both queries.

MINUS Returns only the rows in the first query that are not found in the second query.

Query output to file
=Attacks=

SQL Tautologies
A tautology is something that is inherently true. SQL tautologies are used when you want to force a query to return all results, basically ignoring any WHERE conditionals. Simple tautologies like " OR 1=1" are useful, but may be filtered out by some security tools. The table below offers a number of tautologies that filter writers (even on well known commercial tools) may not have considered.

=Data exfiltration=

General network
=Platform specific=