Introduction
Hello guys, this is our 11th article on SQL Injection. In this article, we will cover the PortSwigger Web Security lab on SQL injection attack, specifically focusing on listing the database contents on Oracle databases. We will provide a step-by-step practical solution.
Lab Description
This lab is described as vulnerable to SQL Injection. The SQL Injection vulnerability exists in the product category filter. When we submit a query, the application displays the result as a response. Based on this, we will retrieve data from the database using UNION attacks to fetch data from tables.
The application also has a login function that allows users to log in. In this lab, there is a table that stores usernames and passwords of administrators and other users. Our goal is to find that table and extract usernames and passwords to log in as an administrator.
To solve the lab, we need to log in as the administrator user.
Lab Solution
First, access the lab and click on any product filter that is displayed in the category. In my case, I will exploit the “Pets” endpoint.
Now, intercept this request in Burp Suite and send it to the Repeater tab, as we will exploit the SQL Injection vulnerability in this request.
First, try adding a semi-colon after “Pets” (‘) to confirm if an error is returned. If an error is returned, it means there is an SQL Injection vulnerability.
Next, we need to find the number of columns in this category. In my case, there are 2 columns since it is an Oracle database. We use “dual” at the end of the query.
Now, we will check if both columns accept NULL values or string values.
Everything is working fine as both columns accept string values. Now, it’s time to find and dump the names of the tables.
Use the following UNION SELECT statement:
'+UNION+SELECT+table_name,NULL+FROM+all_tables--As you can see, we have used the above SQL Injection query to find the tables. Now, we will retrieve the data from the table (USERS_NVEITI). We know that this table might contain usernames and passwords because it is a unique table.
Use the following UNION SELECT statement:
'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_NVEITI'--Now, we have successfully retrieved the column names from the USERS_NVEITI table. We have a column named USERNAME_VVZWIN and another column named PASSWORD_QVXRSM. Now, we will grab the data from these columns using the USERS_NVEITI table.
'+UNION+SELECT+USERNAME_VVZWIN,+PASSWORD_QVXRSM+FROM+USERS_NVEITI--As you can see, we have retrieved the data from the table USERS_NVEITI, specifically the username and password columns. In this way, we have obtained the administrator’s credentials.
So, when I used these credentials, I successfully solved the PortSwigger Web Security lab on SQL injection attack, listing the database contents on Oracle.
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
To continue studying check out the next lab i.e. Blind SQL Injection With Time Delays, cover the current lab before visiting the next lab. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
