Long story short, I scanned a website and found an sql injection bug. (Did it several times and that was the only thing I could find).
So I used sqlmap to retrieve databases, tables, and columns. This website is using Oracle database. (Oracle Database 12c Enterprise Edition Release 220.127.116.11.0 – 64bit Production)
Now here is the problem, I don’t have enough privilege to access SYS, and on the other side all the passwords are hashed in that database.
I created an account using password ‘password’ and this is what I got:
I changed my password to something gibberish and changed it back to ‘password’ and the hash changed so it’s definitely salted as well.
So now I’m stuck with bunch of hashed passwords and don’t really know what to do. Any ideas?
— Just to clarify one more time, the database is Oracle, the only bug I could find was SQL INJECTION, oh and almost forgot to mention that the backend is ASP.NET if it helps(?). Also the current user is not sys. I don’t have enough privilege to access sys db.