PortSwigger: SQL injection attack, listing the database contents on non-Oracle databases

PortSwigger Web Security Academy: SQL injection 7

Hello World, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 7. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password.

SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on non-Oracle databases

SQL injection attack, listing the database contents on non-Oracle databases

So as mentioned above, this lab requires some logical thinking when structuring your query. First, you need to query the information schema to find out what tables there are. Then you need to query it again to find out what columns are in a particular table. Finally, you have to modify your attack to query the specific table to return the contents of the specified columns.

SQL injection lab
The Lab

The Application

Navigating to the application we can see it is laid out like the rest of them with the navigation menu at the top and the list of products underneath. In order to capture a request, we need to turn the intruder on in Burp Suite and click on the navigation URLs to capture it.

The Application
The Application

Querying The Database Tables

With the request captured, we can perform our standard column enumeration to determine how many columns there are and which columns contain text. Once we have identified that there are two columns that both contain text, we can query the ‘information_schema‘ table so that it returns the names of all other tables in the database.

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
SQL Injection - Querying The Database Tables
SQL Injection – Querying The Database Tables

Querying The Table Columns

Now that we know the names of the tables, we can identify which tables might be interesting. Looking at the results we can see that there is a table called ‘users_odzpcz‘. This table will likely contain some juicy user credentials but in order to proceed, we need to know what columns are in that table. The image below shows the result of the query where we’re asking for the column names.

'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_odzpcz'--
SQL Injection - Querying The Table Columns
SQL Injection – Querying The Table Columns

Querying The Colum Data

Now that we have the column names, we can query the table directly and ask it to dump the contents of the two columns ‘password_nawvpk‘ and ‘username_bzubfy‘. I found that it was important to put the column names in the order that they appeared in the previous query. Otherwise, I just received a server error.

'+UNION+SELECT+password_nawvpk,+username_bzubfy+FROM+users_odzpcz--
Querying The Colum Data
SQL Injection – Querying The Colum Data

The SQL Injection

With the SQL injection complete, all we need to do is look through the data and locate the administrator username and password. Once we have that information, we can head to the login page and use the credentials to log in and complete the lab.

The Login
The Login
%d bloggers like this: