SQL injection attack, querying the database type and version on Oracle - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki

hello lets start

access the lab and intercept the request and send it to repeater.

start testing

first thing we need to make error detect SQL injection. this example we know is that has SQL Injections but in real testing we need to detect if there is sql injection in parameter or not is break and get error from database, error indicate there is sql injection, sometimes when breaks syntax it differs from website to another. this means we must try adding some functions such as single quote ", double Coutes "", slash / or encoding these queries ('-"-/) something like that.

add single quote.

1

now we get error on database means this may be vulnerable to SQL injection.

in real world bug bounty, there are types of databases such as (Oracle-Microsoft-PostgreSQL-MySQL) and each database has different syntax about handling requests. if you still have error while testing you can use another syntax of database. this lab target Oracle database and as i say before it has differed syntax.

  • UNION SELECT is query that use to gather information from another tables from database, it using to combine the results of multiple SELECT statements into a single result set, this can be useful when you need to retrieve and aggregate data from multiple tables or databases.

in Oracle database when use union select should refer to column called DUAL. DUAL is built in table. DUAL table is default in information scheme of ORACLE database. The DUAL table is a special one-row, one-column table present by default in all Oracle databases.

now add Query

UNION+SELECT+'NULL','NULL'+FROM+DUAL--

2

  • EXPLAIN: - first query we break syntax with (') to ensure there is SQL injection and database handling our requests, then use UNION+SELECT whereas union select is query using for retrieve data from other columns in single value, then use NULL this value is used to detect numbers of columns in database. still add NULL value until database response error this mean number of column is not exist.then use DUAL The DUAL table is typically used in SQL statements that require a table reference, but where no real table is needed. In this case, it is being used to provide a simple way to select the constant string values 'abc' and 'def'.

after knowing database and number of columns we need to detect datatype of columns, which mean knowing which column is string note that there are a lot of datatypes, but we need detect string value.

now replace NULL value to text

3

coool the two columns are string values.

to make sure our query handling in database we can see this the word (asd) in response

4

now we need to to get version database to solve the lab.

portswigger facilitate and make cheat cheat queries for databases check this link https://portswigger.net/web-security/sql-injection/cheat-sheet

i chose versoin oracle

5

now add query in burp suite

'UNION+SELECT+banner,NULL+FROM+v$version--

6

'UNION+SELECT+banner,NULL+FROM+v$version--

  • Explain: first query we break syntax with (') to ensure there is SQL injection and database handling our requests, then use UNION+SELECT whereas union select is query using for retrieve data from other columns in single value, then use NULL this value is used to detect numbers of columns in database. still add NULL value until database response error this mean number of columns is not existing. Then add banner this column in default table in database. banner column display name and version number of database. Then use v$version this replacement of DUAL. DUAL table is typically used in SQL statements that require a table reference, but where no real table is needed. In this case, it is being used to provide a simple way to select the constant string values 'abc' and 'def'.

to make sure your query is correct search in response about version and you will see version number

7

now we solve the lab thank you 🥇