> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/sqli/oracle.md). # Oracle *** ## Summary Web based PL/SQL applications are enabled by the PL/SQL Gateway, which is is the component that translates web requests into database queries. ## How the PL/SQL Gateway Works Essentially the PL/SQL Gateway simply **acts as a proxy server taking** the user’s web request and passes it on to the database server where it is executed. The **PL/SQL code** **does not exist on the web server** but, rather, in the database server. This means that any weaknesses in the PL/SQL Gateway or any weaknesses in the PL/SQL application, when exploited, give an attacker direct access to the database server; *no amount of firewalls will prevent this*. URLs for PL/SQL web applications are normally easily recognizable and generally start with the following (xyz can be any string and represents a Database Access Descriptor, which you will learn more about later): * `http://www.example.com/pls/xyz` (Most recent on Apache) * `http://www.example.com/xyz/owa` (Older version) * `http://www.example.com/xyz/plsql` (Older version) In the **plsql.conf** Apache configuration file `/pls` is the default and the absence of a file extension in a URL could indicate the presence of the Oracle PL/SQL Gateway. Consider the following URL: ```txt http://www.server.com/aaa/bbb/xxxxx.yyyyy ``` If `xxxxx.yyyyy` were replaced with something along the lines of `ebank.home`, `store.welcome`, `auth.login`, or `books.search`, then there’s a fairly strong chance that the PL/SQL Gateway is being used. It is also possible to precede the requested package and procedure with the name of the user that owns it - i.e. the schema - in this case the user is `webuser`: ```txt http://www.server.com/pls/xyz/webuser.pkg.proc ``` In this URL, xyz is the **Database Access Descriptor**, or **DAD**.\* A DAD specifies information about the database server so that the PL/SQL Gateway can connect\*. It contains information such as the TNS connect string, the user ID and password, authentication methods, and so on. These DADs are specified in the `dads.conf` Apache configuration file in more recent versions or the `wdbsvr.app` file in older versions. Some default DADs include the following: ```txt SIMPLEDAD HTMLDB ORASSO SSODAD PORTAL PORTAL2 PORTAL30 PORTAL30_SSO TEST DAD APP ONLINE DB OWA ``` ## Determining if the PL/SQL Gateway is Running #### Server Response Headers ```txt Oracle-Application-Server-10g Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server Oracle-Application-Server-10g/9.0.4.1.0 Oracle-HTTP-Server Oracle-Application-Server-10g OracleAS-Web-Cache-10g/9.0.4.2.0 (N) Oracle-Application-Server-10g/9.0.4.0.0 Oracle HTTP Server Powered by Apache Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_plsql/3.0.9.8.3a Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_plsql/3.0.9.8.3d Oracle HTTP Server Powered by Apache/1.3.12 (Unix) mod_plsql/3.0.9.8.5e Oracle HTTP Server Powered by Apache/1.3.12 (Win32) mod_plsql/3.0.9.8.5e Oracle HTTP Server Powered by Apache/1.3.19 (Win32) mod_plsql/3.0.9.8.3c Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_plsql/3.0.9.8.3b Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_plsql/9.0.2.0.0 Oracle_Web_Listener/4.0.7.1.0EnterpriseEdition Oracle_Web_Listener/4.0.8.2EnterpriseEdition Oracle_Web_Listener/4.0.8.1.0EnterpriseEdition Oracle_Web_listener3.0.2.0.0/2.14FC1 Oracle9iAS/9.0.2 Oracle HTTP Server Oracle9iAS/9.0.3.1 Oracle HTTP Server ``` #### The NULL Test In PL/SQL, `null` is a perfectly acceptable expression: ``` SQL> BEGIN   NULL;   END;   / PL/SQL procedure successfully completed. ``` We can use this to test if the server is running the PL/SQL Gateway. Simply take the `DAD` and append `NULL`, then append `NOSUCHPROC`: * `http://www.example.com/pls/dad/null` * `http://www.example.com/pls/dad/nosuchproc` If the server responds with a `200 OK` response for the first and a `404 Not Found` for the second then it indicates that the server is running the PL/SQL Gateway. #### Known Package Access On older versions of the PL/SQL Gateway, it is possible to directly access the packages that form the PL/SQL Web Toolkit such as the OWA and HTP packages. One of these packages is the `OWA_UTIL` package, which we’ll speak about more later on. This package contains a procedure called SIGNATURE and it simply outputs in HTML a PL/SQL signature. Thus requesting ```txt http://www.example.com/pls/dad/owa_util.signature ``` Returns the following output on the webpage ```txt "This page was produced by the PL/SQL Web Toolkit on date" ``` OR ```txt "This page was produced by the PL/SQL Cartridge on date" ``` If you don’t get this response but a 403 Forbidden response then you can infer that the PL/SQL Gateway is running. This is the response you should get in later versions or patched systems. ## Ref. BYPASSES: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/sqli/oracle.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.