Introduction

Hello, guys. How are you all doing? This is our 10th article on SQL Injection vulnerabilities. In this article, we will solve the PortSwigger Web Security lab on SQL injection attack, specifically focusing on listing the database contents on non-Oracle databases. We will cover the steps to solve it practically.

Lab Description

This lab has SQL Injection vulnerabilities in the Product category filter. The application displays the result of any query as a response on the interface. We can leverage this to perform a UNION attack and retrieve data from the tables.

The application also has a login interface, and our goal is to extract usernames and passwords from the table. We need to find the tables and columns that contain usernames and passwords. After that, we retrieve the administrator’s credentials and log in as an admin user to the application.

Lab Solution

First, access the lab and then click on any product category. In my case, I will test SQL Injection on the “Pets” category.

First, intercept this request in Burp Suite and send it to the Repeater, as we will perform testing on this request.

Now, add a single quote (‘) after “Pets,” and the server will return an error. It means there is an SQL Injection vulnerability.

Next, we need to find the columns.

Use the following UNION SELECT statement:

 '+UNION+SELECT+NULL,NULL--

In my case, there are only 2 columns.

Next, we test if both columns accept string values.

Use the following UNION SELECT statement:

 '+UNION+SELECT+'abc','def'--

Both columns accept string values in this case.

Now, we retrieve the list of tables in the database.

Use the following UNION SELECT statement:

 '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

We have successfully retrieved the list of tables in the database. One of the tables starts with the keyword “users,” and it seems to store usernames and passwords.

Next, we retrieve usernames and passwords from the “users_iwnfyx” table.

Use the following UNION SELECT statement: Pets’+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name=’users_iwnfyx’–

As you can see, we have successfully found the names of the columns containing usernames and passwords. In the above query, we select the column names from the information_schema.columns where the table name is ‘users_iwnfyx’. In SQL language, we always enclose string values within ” (single quotes). Additionally, there is a WHERE clause that specifies the table name.

Now, we will dump the data from these columns to grab the usernames and passwords.

Use the following UNION SELECT statement:

'+UNION+SELECT+username_abcdef,+password_abcdef+FROM+users_abcdef--

We have successfully found the administrator’s username and password. In the above query, we used the two columns we previously dumped, and we included the table name in the query, where these two columns exist.

We have successfully solved the PortSwigger Web Security lab on SQL injection attack, listing the database contents on non-Oracle databases. Now, all we need to do is log in using the obtained credentials as the administrator.

Simply click on “My Account” and use the dumped admin credentials to log in. This will complete the lab challenge for you.

You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.

To continue studying check out the next lab i.e. SQL Injection Attack Listing The Database Contents On Oracle, cover the current lab before visiting the next lab. Good Luck!

FAQS