PortSwigger: SQL injection attack, listing the database contents on Oracle

PortSwigger Web Security Academy: SQL injection 8

Hello world, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 8. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password. It’s the same as the last lab except this time we need to alter our syntax as we’re doing it against an Oracle database.

SQL injection attack, listing the database contents on Oracle
SQL injection attack, listing the database contents on Oracle

SQL injection attack, listing the database contents on Oracle

So as stated in the introduction, we need to use Oracle database syntax to perform a UNION-based SQL injection to retrieve the contents of the database. More specifically, we need to dump the contents of the users’ table and log in to the application as the administrator in order to solve the lab.

The Lab
The Lab

The Application

First things first, we need to explore the familiar application. it’s exactly the same as with the previous lab. There is a navigation menu at the top of the page and some product details underneath. It appears there are two columns, which we can validate using the ‘NULL, NULL+FROM+DUAL-- ‘ syntax that we used in previous exercises.

The Application
The Application

Querying The Database Tables

Once we have verified that there are two columns and that both allow text, we can start querying the database for all table names. Instead of querying the ‘information.schema‘ table that we use in the previous lab, this time we have to query ‘all_tables‘. The syntax below will return all tables currently in the database. Please note that rendering directly through burp may not show all the tables. I had to switch back to the raw mode in order to find the user’s table.

GET /filter?category=Accessories'+UNION+SELECT+table_name,NULL+FROM+all_tables-- HTTP/1.1
SQL Injection - Querying The Database Tables
SQL Injection – Querying The Database Tables

Querying The Table Columns

Once we have the table name, in this case ‘USERS_GVOYYA‘, we can start querying the columns within that table. In order to do this, we need to use ‘all_tab_columns‘ and specify the table which we found using the previous command. As you can see from the screenshot below, this produces two results ‘PASSWORD_HPZDJL‘ and ‘USERNAME_SYDOYL‘.

GET /filter?category=Accessories'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_GVOYYA'-- HTTP/1.1
SQL Injection - Querying The Table Columns
SQL Injection – Querying The Table Columns

Querying The Colum Data

We now have everything we need to query the table directory and get it to dump its secrets. The screenshot below illustrates that it was possible to dump the contents of the ‘USERS_GVOYYA‘ including the username and password of the administrator users. Using this information we should be able to complete the lab.

GET /filter?category=Accessories'+UNION+SELECT+PASSWORD_HPZDJL,+USERNAME_SYDOYL+FROM+USERS_GVOYYA-- HTTP/1.
SQL Injection - Querying The Colum Data
SQL Injection – Querying The Colum Data

The SQL Injection

Then take results of the SQL injection and head over to the login page link at the top of the screen. Input your newly acquired username and password and you should solve the lab. Congratulations.

Log in
Log in