Hello friends and today HaXeZ is looking at the 5th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to perform a UNION-based SQL injection to retrieve the database version string. We can use the same techniques that we have developed so far.
SQL injection attack, querying the database type and version on Oracle
So as stated above, we need to perform an SQL injection UNION-based attack to retrieve the version number of the database. It is specific to Oracle databases so the syntax may be different depending on which type of database you’re testing.
The Application
As with the previous labs, the application is fairly basic. It has a navigation menu at the top with a list of products underneath. It looks like we have two columns to play with this time. A title with the bold font, and a description, with the normal font. We can capture a request with Burp Suite and determine the precise structure using the NULL method that we have done previously. However, one caveat is that we need to use ‘FROM DUAL‘ when testing the number of columns.
SQL Version
We need to use ‘FROM DUAL‘ as it’s an Oracle database. There is lots more information out there (such as on Stack Overflow) on why this matters so I will let you go fourth and do your own research. Once we have determined that there is two columns, we can then determine which columns contain text (should be both of them in this lab).
GET /filter?category=Corporate+gifts'+UNION+SELECT+NULL,NULL+FROM+DUAL-- HTTP/1.1
The SQL Injection
Now that we know that both columns contain text, we can tell the database that we want the version of the database. We can choose which column we want the information injected in to, but we also need to supply the NULL value for the column we don’t use. As you can see from the code and the image below, I have opted to use the first column to return the information, and then used ‘NULL‘ for the second column. We then specify that we want the server ‘BANNER‘ from ‘v$version‘.
GET /filter?category=Corporate+gifts'+UNION+SELECT+BANNER,NULL+FROM+v$version-- HTTP/1.1
You can then append the query to your request and the results should be displayed in the applications response. Congratulations you have just solved this lab.
