Hello world, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 8. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password. It’s the same as the last lab except this time we need to alter our syntax as we’re doing it against an Oracle database.
SQL injection attack, listing the database contents on Oracle
So as stated in the introduction, we need to use Oracle database syntax to perform a UNION-based SQL injection to retrieve the contents of the database. More specifically, we need to dump the contents of the users’ table and log in to the application as the administrator in order to solve the lab.
The Application
First things first, we need to explore the familiar application. it’s exactly the same as with the previous lab. There is a navigation menu at the top of the page and some product details underneath. It appears there are two columns, which we can validate using the ‘NULL, NULL+FROM+DUAL-- ‘ syntax that we used in previous exercises.
Querying The Database Tables
Once we have verified that there are two columns and that both allow text, we can start querying the database for all table names. Instead of querying the ‘information.schema‘ table that we use in the previous lab, this time we have to query ‘all_tables‘. The syntax below will return all tables currently in the database. Please note that rendering directly through burp may not show all the tables. I had to switch back to the raw mode in order to find the user’s table.
GET /filter?category=Accessories'+UNION+SELECT+table_name,NULL+FROM+all_tables-- HTTP/1.1
Querying The Table Columns
Once we have the table name, in this case ‘USERS_GVOYYA‘, we can start querying the columns within that table. In order to do this, we need to use ‘all_tab_columns‘ and specify the table which we found using the previous command. As you can see from the screenshot below, this produces two results ‘PASSWORD_HPZDJL‘ and ‘USERNAME_SYDOYL‘.
GET /filter?category=Accessories'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_GVOYYA'-- HTTP/1.1
Querying The Colum Data
We now have everything we need to query the table directory and get it to dump its secrets. The screenshot below illustrates that it was possible to dump the contents of the ‘USERS_GVOYYA‘ including the username and password of the administrator users. Using this information we should be able to complete the lab.
GET /filter?category=Accessories'+UNION+SELECT+PASSWORD_HPZDJL,+USERNAME_SYDOYL+FROM+USERS_GVOYYA-- HTTP/1.
The SQL Injection
Then take results of the SQL injection and head over to the login page link at the top of the screen. Input your newly acquired username and password and you should solve the lab. Congratulations.
