Blind SQL injection with conditional errors for oracle database.

-

Blind SQL Injection with Conditional Errors (Oracle Database)

Lab Overview

This lab demonstrates a blind SQL injection vulnerability in an Oracle database environment, where data is not directly returned in HTTP responses. Instead, information is extracted by forcing conditional database errors, allowing the attacker to infer results based on whether the application generates an error or behaves normally.

Unlike classic UNION-based SQL injection, this technique relies on Oracle-specific behavior, particularly the use of CASE, TO_CHAR, ROWNUM, and error generation through invalid arithmetic operations (such as division by zero).

The exploitation flow consists of:

  • Building boolean-based error logic
  • Verifying database structure and table existence
  • Extracting data using conditional errors
  • Automating password extraction using Burp Suite Intruder

This type of SQL injection is highly effective in Oracle systems because errors can be deliberately triggered to represent TRUE conditions.

Understanding Oracle Blind SQL Injection via Errors

Oracle behaves differently from other database engines like MySQL or PostgreSQL. One key difference is how it handles runtime errors inside expressions.

In this lab, a critical technique is used:

  • TO_CHAR(1/0) → forces a database error (division by zero)
  • If executed → response changes (TRUE condition)
  • If not executed → no error (FALSE condition)

This creates a binary oracle (true/false) response system, which can be exploited to extract data.

Instead of retrieving data directly, we manipulate SQL logic so that:

  • TRUE condition → triggers error → observable response change
  • FALSE condition → no error → normal response

This allows inference-based extraction.

Step 1: Verifying SQL Injection Context in Oracle

Before extraction begins, we confirm that the injection point allows SQL expression chaining.

Oracle string concatenation is commonly used:

'|| <payload> ||'

This breaks out of a string context and injects SQL logic into the query execution path.

Step 2: Verifying Table Existence

Before targeting sensitive data, we verify whether tables exist in the database.

Test 1: Invalid table check

'||(SELECT '' FROM not-a-real-table)||'

If the table does NOT exist:

  • Oracle throws an error
  • Response behavior changes

If it exists:

  • Query executes silently

This helps confirm how the database responds to invalid references.

Test 2: Valid table confirmation

'||(SELECT '' FROM users WHERE ROWNUM = 1)||'

This payload confirms the existence of the users table.

Explanation:

  • ROWNUM = 1 limits output to one row
  • SELECT '' ensures no visible output is returned
  • If the table exists → query executes successfully
  • If not → error occurs

This confirms that:

  • The users table exists
  • The injection point executes subqueries correctly

Step 3: Building Boolean Error Logic

The core of this attack is forcing Oracle to generate errors based on conditions.

Test payload (true condition triggers error):

'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'

Explanation:

  • CASE WHEN (1=1) → always TRUE
  • TRUE branch executes: TO_CHAR(1/0)
  • Division by zero causes Oracle runtime error
  • Error = observable response change

This confirms:

  • Conditional logic is executed
  • Errors can be used as boolean indicators

If condition is FALSE:

  • No error is triggered
  • Response remains normal

This establishes a true/false inference channel

Step 4: Determining Password Length (Brute Force Logic)

Once boolean logic is confirmed, we begin extracting data by testing password length.

Main Payload:

'||(SELECT CASE WHEN LENGTH(password) > 1 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username = 'administrator')||'

How it works:

  • If password length > 1 → error triggered
  • If password length ≤ 1 → no error

By incrementing the number (1, 2, 3, …), we identify the exact password length.

Result inference process:

We repeat:

LENGTH(password) > X

until:

  • TRUE stops being triggered at a certain point

This reveals the exact password length.

Step 5: Extracting Password Characters (Core Exploitation)

Once the password length is known, we extract it character by character using SUBSTR.

Character validation payload:

'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username = 'administrator')||'

OR

'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) END FROM users WHERE username = 'administrator')||'

The double hyphen is for commenting out the rest of the sql querry on the backend database.

Explanation:

  • SUBSTR(password,1,1) extracts first character
  • Compares it with 'a'
  • If match → error triggered
  • If not match → normal response

This creates a character validation oracle.

Iterative process:

We repeat for:

  • Position 1 → 20 (or discovered length)
  • Characters:
    • a-z
    • 0-9

Each correct match produces:

  • Error response (TRUE)
    Each incorrect match produces:
  • Normal response (FALSE)

This allows full password reconstruction.

Step 6: Full Brute Force Strategy(Cluster Bomb Attack) Using Burp Suite Intruder

To automate extraction, Burp Suite Intruder is used.

Attack configuration:

  • Attack type: Cluster Bomb
  • Payload set 1: character position (1 → password length)
  • Payload set 2: character list (bruteforce set)

Why Cluster Bomb is used:

Cluster Bomb allows:

  • Testing multiple positions simultaneously
  • Testing multiple characters per position
  • Full Cartesian combination coverage

Intruder logic flow:

For each request:

  1. Inject position index
  2. Inject character guess
  3. Observe response:
    • Error → correct character
    • No error → incorrect character

This transforms manual inference into an automated extraction engine.

Oracle error-based blind SQL injection is especially effective because:

  • Errors are highly distinguishable
  • CASE statements allow conditional execution
  • Arithmetic errors (1/0) are reliable triggers
  • SUBSTR and LENGTH functions simplify extraction logic

Unlike time-based attacks, error-based inference is:

  • Faster
  • More reliable
  • Easier to detect in response behavior 

From a security standpoint, this attack produces subtle but detectable patterns.

Indicators include:

  • Repeated conditional SQL payloads
  • Frequent use of CASE WHEN
  • Repeated access to users table
  • Systematic variation in input parameters

Security tools such as ModSecurity can detect:

  • SQL syntax patterns
  • Repeated injection attempts
  • Oracle-specific function misuse

Database auditing in Oracle can also log:

  • Repeated errors from 1/0
  • Suspicious use of SUBSTR and LENGTH
  • Unusual query repetition patterns

Root Cause and Remediation

The root cause is insecure SQL construction and lack of input sanitization.

Even though output is hidden, SQL logic is still executed.

Recommended fixes:

  • Use parameterized queries (prepared statements)
  • Disable dynamic SQL concatenation
  • Restrict database privileges
  • Avoid exposing Oracle error behavior
  • Implement uniform application responses
  • Monitor and log SQL error patterns

Additional Oracle hardening:

  • Restrict access to system functions like CASE, SUBSTR
  • Limit exposure of user tables
  • Enable strict auditing

Comments

Post a Comment

Popular posts from this blog

Linux AAA

-
Image
Linux AAA Authentication What it means: Authentication verifies who the user is . How it works in Linux: When you log in, Linux checks your credentials (usually username + password) against /etc/passwd and /etc/shadow . /etc/passwd stores user information (username, UID, GID, shell, home directory). /etc/shadow stores hashed passwords and password expiration info, readable only by root. Common authentication methods: Local authentication: Using /etc/passwd and /etc/shadow . Remote authentication: Using services like: LDAP (Lightweight Directory Access Protocol) – centralized user management. Kerberos – provides secure, ticket-based authentication. RADIUS – used in network access (VPNs, Wi-Fi, etc.). PAM (Pluggable Authentication Modules) – modular framework used by Linux for integrating different authentication methods. Example PAM file location: /etc/pam.d/ Each service (like SSH, sudo, login) has its own PAM configuration file.
Read more

Peppermint Ticketing Software for help desk technicians.

-
Image
Peppermint Ticketing Peppermint is a modern, open-source help desk and issue tracking system built for IT teams, MSPs, and internal support departments that want a self-hosted, lightweight, and privacy-controlled solution. Peppermint prioritizes: Simplicity and speed Developer freedom Data sovereignty Low infrastructure footprint It’s designed for small to medium-sized teams who want something modern, minimalistic, and powerful — without being locked into enterprise subscriptions or bulky frameworks. Architecture Overview Peppermint’s backend is written primarily in TypeScript (Node.js) , with a PostgreSQL database and a React-based frontend . This makes it modular, fast, and compatible with modern deployment standards such as Docker , Kubernetes , and cloud instances (AWS, Linode, DigitalOcean, etc.). Architecture Components Component Technology / Purpose Backend  => Node.js (Express / Nest-like structure) Database  => PostgreSQL (relational, handles ti...
Read more

What is Osint?

-
 Open-Source Intelligence (OSINT) refers to the process of collecting, analyzing, and utilizing publicly available data from a wide variety of sources to gather intelligence. These sources can range from publicly accessible information on the internet to data from newspapers, government reports, databases, and even geospatial information. The key distinction of OSINT is that it does not involve covert or illegal methods of gathering information but rather focuses on using data that is readily available to the public, sometimes even through commercial or open platforms. Examples of OSINT data can be gathered from a wide array of open and accessible sources. Some key examples include: Social Media: Publicly available posts, images, videos, and profiles from platforms like Facebook, Twitter, LinkedIn, Instagram, and TikTok. These platforms can reveal personal details about individuals, locations, affiliations, and even plans for upcoming events. News Websites and Online Articles: Ne...
Read more