SQL injection attack, listing the database contents on non Oracle databases - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki

hello, let's start!

access the lab and choose gift category and intercept the request and send it to repeater.

start testing.

first thing we need to make error detect SQL injection. this example we know is that has SQL Injections but in real testing we need to detect if there is sql injection in parameter or not is break and occur error from database, error indicate there is sql injection, sometimes when breaks syntax it differs from website to another. this means we must try adding some functions such as single quote ", double Coutes "", slash / or encoding these queries ('-"-/) something like that.

Note: every parameter is vulnerable until prove reverse

now i sent single quote ' to see what happen

1

now we get error this indicate that may be vulnerable to SQL injection.

now we need to know number of columns. use this query.

'UNION+SELECT+NULL,NULL--

2

'UNION+SELECT+NULL,NULL--

  • Explain: start break the query by add single code (') then use union select this is a query used to retrieve sensitive data from other columns and set result in single Rows. then use NULL value for knowing number of columns in tables. each Value Number represent of column number. we can select number of columns by using order by 1-- and ad after number 1 represent number of columns too. ending the query by add (--) is comment used to ending the query and any thing comes after comment will be ignored. and this way how database handling queries that comes from user.

after knowing number of columns, we need to know datatypes of these columns. there are a lot of datatypes in programming language, but we want string because that we To make up for his place with usernames and password column.

now change NULL Value with string

3

Cool the 2 columns are string.

now we need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.

the address of lab indicates that lab does not intend non-Oracle databases this mean database maybe on of the following (Microsoft - PostgreSQL - MySQL)

by default when create database to the first time this something called information scheme

  • information scheme is default database is that created when create database for the first time. this defines the structure and scheme of own database. each table and column that developer create it added into information scheme. basically information scheme views are read-only, system-defined views that provide metadata information.

each database has information scheme and it differ other database. type of database is PostgreSQL and if you want to know information scheme of database google it (and the same word if database is differed)

4

and when search on tables table name in information scheme called (table name)

The view tables contains all tables and views defined in the current database.

5

now we can add it in query.

note portswigger has information about every database about comment and content and query form that. check this link https://portswigger.net/web-security/sql-injection/cheat-sheet

now we can choose this form

6

the query will add as a follwing:

'UNION+SELECT+NULL,table_name+FROM+information_schema.tables--

7

this is a syntax of query that handling with PostgreSQL database to retrieve table name in database.

copy URL and open link in browser you will see all of tables that inside database.

8

you will see all of tables that inside database. note there are default tables this specifically this structure with database start with Pg

but the important for us is users table, we found the table

9

now we have name pf table but dont have name of columns . till problem . open cheat of portswigger to get syntax

10

query will be as follwing

'UNION+SELECT+NULL,column_name+FROM+information_schema.columns+WHERE+table_name='users_pviogr'--

12

  • Explain: UNION: The UNION keyword combines the results of two SELECT statements into a single result set. SELECT NULL: This statement selects NULL as the only column value in the first result set. This is done column_name FROM information_schema.columns WHERE table_name='users_pviogr': This returns the list of column names in the "users_pviogr" table, which are stored in the "information_schema.columns" view. The view provides metadata about the tables and columns in a database.

cope URL and paste in brawser

13

this is the list of column names in the users_pviogr table. important for us is usernames and passwords as following

username_izjqrz

password_wnbcxg

we will create new query to get all of username and password . as following

'UNION+SELECT+username_izjqrz,password_wnbcxg+FROM+users_pviogr--

16

copy URL and paste you will see username and password . we just need administrator password

15

login as administrator user

17

we solve the lab . thank you 🥇