Hello, world wide web and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 6. This lab requires you to return the database type on MySQL with Microsoft. I’m not sure if that means, a MySQL database on Microsoft Windows or whether it means MySQL and MSSQL. Let’s find out.
SQL injection attack, querying the database type and version on MySQL and Microsoft
Looking at the lab somewhat clears up the requirements to solve it. It asks us to find a vulnerability in the product category filter. With this vulnerability, it wants us to perform a UNION attack to retrieve the database version string. It’s essentially the same as the last lab but this time we’re querying a different type of database.
The Application
Ah yes, the familiar application that we’ve come to know and love. It has a navigation menu at the top of the page containing various categories. Underneath, it has the products with a title of the product with bold font and a description with regular font. I like to make a point of explaining what type of font each column is using because it can affect the output of your SQL injection.
The SQL Version
In order to retrieve the SQL version, we first need to identify how many columns there are and how many of those columns use text. We have done this in previous labs so please refer to my write-ups on those if you haven’t done them. The syntax is slightly different with this type of database. Instead of commenting out the rest of the query using the double dash ‘–‘ We need to use the pound or hash sign ‘#‘. Once we know that, we can then move on to getting the version information.
GET /filter?category=Accessories'+UNION+SELECT+NULL,NULL# HTTP/1.1
The SQL Injection
Now that we know the number of columns, we can ask the database to return the version information into one of those columns. In order to do this, we need to ask for the ‘@@version‘ information. You can append the following SQL statement to the parameter and then forward it to the application.
GET /filter?category=Accessories'+UNION+SELECT+@@version,+NULL# HTTP/1.1
The results will then be displayed at the bottom of the page which in this case is version 8.0.27. This is a very handy technique if you wanted to identify the specific version of the database running. You could then use this information to look for vulnerabilities that impact that version.
