Category: Burp

Hello world, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 8. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password. It’s the same as the last lab except this time we need to alter our syntax as we’re doing it against an Oracle database.

SQL injection attack, listing the database contents on Oracle

So as stated in the introduction, we need to use Oracle database syntax to perform a UNION-based SQL injection to retrieve the contents of the database. More specifically, we need to dump the contents of the users’ table and log in to the application as the administrator in order to solve the lab.

The Application

First things first, we need to explore the familiar application. it’s exactly the same as with the previous lab. There is a navigation menu at the top of the page and some product details underneath. It appears there are two columns, which we can validate using the ‘NULL, NULL+FROM+DUAL-- ‘ syntax that we used in previous exercises.

Querying The Database Tables

Once we have verified that there are two columns and that both allow text, we can start querying the database for all table names. Instead of querying the ‘information.schema‘ table that we use in the previous lab, this time we have to query ‘all_tables‘. The syntax below will return all tables currently in the database. Please note that rendering directly through burp may not show all the tables. I had to switch back to the raw mode in order to find the user’s table.

GET /filter?category=Accessories'+UNION+SELECT+table_name,NULL+FROM+all_tables-- HTTP/1.1

Querying The Table Columns

Once we have the table name, in this case ‘USERS_GVOYYA‘, we can start querying the columns within that table. In order to do this, we need to use ‘all_tab_columns‘ and specify the table which we found using the previous command. As you can see from the screenshot below, this produces two results ‘PASSWORD_HPZDJL‘ and ‘USERNAME_SYDOYL‘.

GET /filter?category=Accessories'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_GVOYYA'-- HTTP/1.1

Querying The Colum Data

We now have everything we need to query the table directory and get it to dump its secrets. The screenshot below illustrates that it was possible to dump the contents of the ‘USERS_GVOYYA‘ including the username and password of the administrator users. Using this information we should be able to complete the lab.

GET /filter?category=Accessories'+UNION+SELECT+PASSWORD_HPZDJL,+USERNAME_SYDOYL+FROM+USERS_GVOYYA-- HTTP/1.

The SQL Injection

Then take results of the SQL injection and head over to the login page link at the top of the screen. Input your newly acquired username and password and you should solve the lab. Congratulations.

Hello, world wide web and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 6. This lab requires you to return the database type on MySQL with Microsoft. I’m not sure if that means, a MySQL database on Microsoft Windows or whether it means MySQL and MSSQL. Let’s find out.

SQL injection attack, querying the database type and version on MySQL and Microsoft

Looking at the lab somewhat clears up the requirements to solve it. It asks us to find a vulnerability in the product category filter. With this vulnerability, it wants us to perform a UNION attack to retrieve the database version string. It’s essentially the same as the last lab but this time we’re querying a different type of database.

The Application

Ah yes, the familiar application that we’ve come to know and love. It has a navigation menu at the top of the page containing various categories. Underneath, it has the products with a title of the product with bold font and a description with regular font. I like to make a point of explaining what type of font each column is using because it can affect the output of your SQL injection.

The SQL Version

In order to retrieve the SQL version, we first need to identify how many columns there are and how many of those columns use text. We have done this in previous labs so please refer to my write-ups on those if you haven’t done them. The syntax is slightly different with this type of database. Instead of commenting out the rest of the query using the double dash ‘–‘ We need to use the pound or hash sign ‘#‘. Once we know that, we can then move on to getting the version information.

GET /filter?category=Accessories'+UNION+SELECT+NULL,NULL# HTTP/1.1

The SQL Injection

Now that we know the number of columns, we can ask the database to return the version information into one of those columns. In order to do this, we need to ask for the ‘@@version‘ information. You can append the following SQL statement to the parameter and then forward it to the application.

GET /filter?category=Accessories'+UNION+SELECT+@@version,+NULL# HTTP/1.1

The results will then be displayed at the bottom of the page which in this case is version 8.0.27. This is a very handy technique if you wanted to identify the specific version of the database running. You could then use this information to look for vulnerabilities that impact that version.

Hello friends and today HaXeZ is looking at the 5th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to perform a UNION-based SQL injection to retrieve the database version string. We can use the same techniques that we have developed so far.

SQL injection attack, querying the database type and version on Oracle

So as stated above, we need to perform an SQL injection UNION-based attack to retrieve the version number of the database. It is specific to Oracle databases so the syntax may be different depending on which type of database you’re testing.

The Application

As with the previous labs, the application is fairly basic. It has a navigation menu at the top with a list of products underneath. It looks like we have two columns to play with this time. A title with the bold font, and a description, with the normal font. We can capture a request with Burp Suite and determine the precise structure using the NULL method that we have done previously. However, one caveat is that we need to use ‘FROM DUAL‘ when testing the number of columns.

SQL Version

We need to use ‘FROM DUAL‘ as it’s an Oracle database. There is lots more information out there (such as on Stack Overflow) on why this matters so I will let you go fourth and do your own research. Once we have determined that there is two columns, we can then determine which columns contain text (should be both of them in this lab).

GET /filter?category=Corporate+gifts'+UNION+SELECT+NULL,NULL+FROM+DUAL-- HTTP/1.1

The SQL Injection

Now that we know that both columns contain text, we can tell the database that we want the version of the database. We can choose which column we want the information injected in to, but we also need to supply the NULL value for the column we don’t use. As you can see from the code and the image below, I have opted to use the first column to return the information, and then used ‘NULL‘ for the second column. We then specify that we want the server ‘BANNER‘ from ‘v$version‘.

GET /filter?category=Corporate+gifts'+UNION+SELECT+BANNER,NULL+FROM+v$version-- HTTP/1.1

You can then append the query to your request and the results should be displayed in the applications response. Congratulations you have just solved this lab.

Hello friends and today HaXeZ is looking at the 4th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the third lab. However, this time there is only one column that supports text. We will need to concatenate the results in order to complete the lab.

SQL injection UNION attack, retrieving multiple values in a single column

We’ve already completed the previous lab that required us to get data from another table. I’m going to skip the steps to determine the number of columns and which of those columns contain text. You will use the same methods used previously to determine this.

The Application

As you can see from the image below, the application follows the same design as the other ones. It has a navigation menu along the top and a list of products underneath. However, this time we only have the name of the products. Previously, we had a description that allowed us to retrieve both the username and password.

Concatenation

Once we’ve worked out how many columns there are, and how many of those columns contain text. It’s time to figure out how we’re going to get the contents from two columns into a single column. This is called concatenation and is particularly useful when you only have one column to work with. In order to do this, we need to intercept the request. After a bit of poking around with the repeater, we have deduced that there are two columns but only the second column allows text.

GET /filter?category=Accessories'+UNION+SELECT+NULL,'a'-- HTTP/1.1

So now we need to concatenate the values from the usernames and passwords columns in the user’s table. In order to do this, we can use the following characters ‘||'~'||‘. The double pipe and the tilde in single quotation marks will tell the database that we want to merge the data from the usernames and passwords column. The tilde acts as a delimiter character which allows us to see where the username ends and the password begins.

GET /filter?category=Accessories'+UNION+SELECT+NULL,username||'~'||password+FROM+users-- HTTP/1.1

The SQL Injection with Concatenation

So now that we have our syntax, we can append it to the request and forward it back to the application. Once the server processes the request, we should have the results of the SQL injection at the bottom of the page. The username and passwords will be separated with a tilde.

And that’s it. All you need to do now is to grab the administrator username and password and login to the application to complete the lab. The power of concatenation is awesome, I learned a lot from this lab.

Hello friends and today HaXeZ is looking at the 3rd SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the second lab, and extend it. This time we’re going to retrieve the contents of the username and password columns from the user table.

SQL injection UNION attack, retrieving data from other tables

As I mentioned, this lab requires you to use the techniques we’ve learned so far and build on them to retrieve the username and password columns from the users table. As always, we have our green button to head to the lab.

The Application

The application follows the same theme that we have been seeing in other labs. Navigation menu along the top with a list of descriptions underneath. However, this time it seems like we may only have two columns. There is a title that is in bold font, and a description that is in regular font. We can intercept a request to one of the categories to find out. Head to Burp, turn on intercept and click one of the links.

Intercepted!

With the request intercepted, we can start to enumerate the structure of the database. For example, we can start by determining how many columns there are using ‘UNION SELECT NULL-- ‘ method. As you can see from the image below, it appears that there are two columns. We increased the number of ‘NULL‘ values in our injection until we stopped receiving a 500 error.

Next, we need to determine which columns are capable of handling text. We don’t want to try and dump our usernames and passwords into columns that can only display numbers. In order to do this, we replace the NULL value with a quoted string such as ‘test’. Since we only have two columns and both of the columns displayed text, it’s a safe bet to assume ‘UNION SELECT 'test','test'-- ‘ would work. In the picture below I have used ‘a’ because I’m lazy.

The Injection

So following the logic we have learned so far we should now be able to dump the contents of the usernames and passwords columns from the user’s table. The syntax is pretty simple especially if you’re already somewhat familiar with Structured Query Language. We replace the test values with the columns we want and then specify where those columns are. You may have to play around with the spacing, especially at the end.

'+UNION+SELECT+USERNAME,+PASSWORD+FROM+users-- 

That’s it, you can forward the request to the application which should solve the lab. When the final page renders, you should have the username and passwords at the bottom of the page.

Amendedment

Don’t forget to log in as the administrator or else you won’t solve the lab. Whoops.

Hello friends and today HaXeZ is looking at the 2nd SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the first lab, and extend it. Instead of just identifying the number of columns, we’re going to test which columns can hold text. In order to do this, we will use the same methodology for the first one but then replace one of the NULL values with a string.

SQL Injection UNION Attack, Finding Columns With Text

As stated above, the purpose of this lab is to help you learn how to identify columns that contain text. The reason this is useful is that if you want to dump the contents of a database, then you need to dump it to a compatible column. This lab requires you to perform an injection attack with some text provided.

The Application

The application is similar to the ones we have already seen. The navigation menu at the top with products listed underneath. However, at the top we have a message that says, Make the database retrieve the string ‘zns2kh’ (it changes each time). In order to do this, we need to turn intercept on and click one of the links. This will allow us to work on one of the parameters to figure out the injection.

Intercept and Repeat

As you can see from the image below, I have intercepted the request with Burp and sent it to repeater. I have then identified how many columns there are using the ‘Accessories'+UNION+SELECT+NULL,NULL,NULL--‘ method until the application stops producing a 500 error. Then we need to repeat this process but this time we replace the ‘NULL‘ values with a string. In the example below, I have used ‘a’ to determine which columns hold text. As you can see from the results, the second column contains text as it returns a valid response instead of a 500 error.

The SQL Injection

In order to solve the lab, you need to replace the string ‘a’ with the string at the top of the page. In fact, you could do the whole lab with the required string instead of using string ‘a’ but I needed to pad out this write-up to hit the desired word count. Anyway, that’s the solution, I hope you found this useful.

paramter'+UNION+SELECT+NULL,'your-string',NULL-- 

Hello friends and thanks for coming to HaXeZ where today we’re looking at the first SQL injection lab on Portswigger Web Security Academy. In order to keep things simple, I will be doing the labs in the order that they apepars on the all-labs page. While this doesn’t make much sense from a difficulty perspective, it will help with keeping things in order.

SQL Injection UNION Attack

The first lab in the SQL Injection series is a UNION based attack that requires you to determine the number of columns returned by the query. While this is a pretty steep point of entry, I’m always one for jumping in the deep end and learning to swim. The instructions explain that we need to use a UNION based attack and that we will be building on this type of attack for future labs. There is a green button to access the lab.

The Application

Clicking the green button takes us to the application which appears to be a shop. Furthermore, the shop has a navigation menu at the top of the page and some products listed underneath it. We can make an educated case right away that there is going to be three columns. However, there could be hidden columns somewhere that are not visible on the page. First things first, in Burp Suite, turn Intercept on. Then click one of the links and navigate to Burp to see the captured request.

Repeating The Payload

By far the easist way to test out payloads in Brup Suite is to send them to repeater. Repeater alloows you to send, modify and send payloads without having to reintercept the request. You can send the orginal request to repeater by right clicking in the request and chosing send to repeater. When then need to test how many columns there are. In order to do this, insert a single quotation mark after the Accessories paramter. Then, input the following syntax '+UNION+SELECT NULL-- make sure to include the space after the double hyphens. When you send this payload, you should get a 500 error message which indicates there is an error in your SQL syntax. That’s good news.

The SQL Injection

With our first payload giving us an error, we can increase the number of NULL values we add to the injection. The number of NULL values needs to equal the amount of columns thus allowing us to determine how many collumns there are. So add another NULL, then another one untill you get the response shown in the picture above. You can then add the payload to your orginal request and forward it. You would have already completed the lab but it’s nice to see how the injection is displayed on the page. The correct synax is displayed below.

Accessories'+UNION+SELECT+NULL,NULL,NULL--

Hello and welcome to HaXeZ, today we’re going to be talking about the Burp Suite Certified Practitioner certification. For those new to Cybersecurity, you may not know that Burp Suite is probably the best web testing tools available. You may also not know that Portswigger (the parent company) offers certification for Burp Suite. Furthermore, you may also not know that the exam to get the certificate is currently only $99! Additionally, if you pass it before December 10th, 2021, they will refund you!!!

Burp Wait, Theres More

The Burp Suite application requires an annual license fee (around $300) for the professional version. The professional version is required to pass the exam. However, you can register and download a 30-day free trial to practice with and take the exam. You don’t need to provide any credit card information, just sign up and download the client. If you have some spare time, then 30 days should be plenty to get through the exam (I hope).

Portswigger Web Security Academy

Did I mention that their academy is completely free to access? All of the resources that you need to learn to pass the exam are on their website. Furthermore, it even includes a progress tracker to show how far you have come since starting. It has articles on each vulnerability and then labs to practice attacking those vulnerabilities. Completing the lab will add progress to your learning progress.

Learning Paths

There are three distinct learning paths, Server-Side Topics, Client-Side Topics, and Advanced Topics. These topics are then broken down into different sections covering different vulnerabilities. For example, the first recommended learning path is Server-Side Topics and covers topics like SQL injection, XXE Injection, and Command Injection.

The Client-Side Topic has various modules including Cross-Site Scripting, Cross-Site Request Forgery, and Clickjacking. This module covers everything that can be exploited from clientside in the browser.

Finally, the advanced topics cover areas like insecure deserialization, server-side template injection, and web cache poisoning. There are a total of 21 modules. However, the modules vary in size so you could complete a couple of modules a day.

Wish me luck as I begin my BSCP journey.