This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the
username and password of all users.
To solve the lab, log in as the administrator user.
Like our previous Lab 9 we followed the same tac tick to get through this lab.
Here it’s a oracle db lab. So we need to fire commands which is for oracle db.
Database contents
You can list the tables that exist in the database, and the columns that those tables contain.
Oracle
SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = ‘TABLE-NAME-HERE’
Microsoft
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
PostgreSQL
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
MySQL
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
Solution to the LAB:
Note : use the same techniq to find number of columns in this lab. Which is ORDER BY 1 ..
‘ UNION SELECT TABLE_NAME, NULL FROM all_tables–
Found one table called USERS_HFFSOS which looks interesting here. Lets find out what is there inside these table called users_hffsos.
Next query will be based on this logic
‘ UNION SELECT COLUMN_NAME, NULL FROM all_tab_columns WHERE table_name = ‘USERS_HFFSOS’–
We now see 2 columns inside this table called USERS_HFFSOS
PASSWORD_ZUQIPR
USERNAME_SZICHY
Next step is to get all the data out of these 2 columns.
‘ UNION SELECT PASSWORD_ZUQIPR, USERNAME_SZICHY FROM USERS_HFFSOS–
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
We will be referring to this Database contents:
You can list the tables that exist in the database, and the columns that those tables contain.
Oracle
SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = ‘TABLE-NAME-HERE’
Microsoft
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
PostgreSQL
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
MySQL
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
DEMO ON Actual database:
Using the MYSQL syntax
MySQL
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
MYSQL DTABASE:
In this I am using MYSQL Workbench to query the MYSQL database.
Query 1 :
Run this query and see the output. As you can see the below query is displaying all the tables in the sys table. Out of that we are interested in fetching only 1 column which is Table_Name
SELECT * FROM information_schema.tables
Query 2 :
Let’s modify the query to narrow down the results to only 1 column.
SELECT table_name FROM information_schema.tables
Microsoft SQL Server – Using, SSMS
Microsoft
SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
Query 1 :
This below query is giving us the results which shows all schema.tables out of which are interested in only 1 column called Table_name. Check next query.
SELECT * FROM information_schema.tables;
Query 2 :
SELECT TABLE_NAME FROM information_schema.tables;
‘ UNION SELECT table_name, NULL FROM information_schema.tables–
Solution to the LAB:
Note : first you follow the basic rule to determine how many columns are there. Using Order by 1..
A – First we need to fetch all the schema.Tables and figure out which column will hold the user name and password for us to login.
‘ UNION SELECT table_name, NULL FROM information_schema.tables–
B – We need to find out which table is useful for us to get the details further.
I got to know about the table names here
Users_nfikyl seems to be useful here.
So next step is to get the columns under this table. User_nfikyk
‘ UNION SELECT COLUMN_NAME, NULL FROM information_schema.columns WHERE
table_name = ‘users_nfikyk’–
This then showed us 2 columns given below.
username_ekslyb
password_wybwtr
Next we directly fetched the data from these 2 columns.
‘ UNION SELECT username_ekslyb, password_wybwtr FROM users_nfikyk–
This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
REQUIREMENT IS –
Make the database retrieve the string: ‘8.0.31-0ubuntu0.20.04.2’
Understanding: Different Database Syntax
Database versions:
You can query the database to determine its type and version. This information is useful when formulating more complicated attacks.
Oracle
SELECT banner FROM v$version SELECT version FROM v$instance
Microsoft
SELECT @@version
PostgreSQL
SELECT version()
MySQL
SELECT @@version
Comments:
You can use comments to truncate a query and remove the portion of the original query that follows your input.
Oracle
–comment
Microsoft
–comment /*comment*/
PostgreSQL
–comment /*comment*/
MySQL
#comment — comment [Note the space after the double dash] /*comment*/
Steps to resolve this lab :
Note :
To solve this LB in the browser it self, we have to Encode the # char here. Else browser will escape this char.
In mysql we can comment using multiple methods like –, # or /* */
First find out how many columns are there. Using ORDER by Clause.
This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
Requirements :
Make the database retrieve the strings: ‘Oracle Database 11g Express Edition Release 11.2.0.2.0 – 64bit Production, PL/SQL Release 11.2.0.2.0 – Production, CORE 11.2.0.2.0 Production, TNS for Linux: Version 11.2.0.2.0 – Production, NLSRTL Version 11.2.0.2.0 – Production’
Solution:
So there are various methods to get the version of the database. Depends on which DB you are using Example is it MS SQL or Is it Oracle.
So we need to run the query like to get the version of the database.
Example
SELECT FROM @@Version
SELECT BANNER FROM V$VERSION
STEPS followed –
Again same method used. First used ORDER by 1 / 2 etc.. To find the number of columns in this.
Next is UNION attack command to retrieve the data in one single column.
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
Solution:
In order to solve this lab, I have to first figure out how can I retrieve data from other tables into one single column (Heading says retrieving multiple values in a single column).
Administrator
3kg6bba8ibuwhhz0xc0m
The URL was crafted as
' UNION SELECT NULL, CONCAT (Username, password) FROM users--
This then restored all both the tables data into single column.
Here we can see the same example in MS SQL DB. Where in CONCAT also takes care of joining A String with Integer.
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
As we have learned in previous lab regards how to start with UNION attack, same way we have to solve this lab.
First use the ORDER by Clause to find out how many columns we have.
Next use the UNION clause to add null in additional row.
Next You can use the UNION to Join other table with the current one . The result will be the other table’s data will be reflected under this current page when we fire this query.
Query is :
‘ UNION SELECT * FROM Users–
I just copied the content into my text editor and took a screenshot of the same. At the end of the page you can see user name Administrator and password.
Screenshot of the lab.
Reference – As we have seen this earlier in Lab 3 you will see an example of how it is seen in the database actually.
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
To first find how many tables are there we can use Order by
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
' ORDER BY 4-- (This one returned error.)
Solution:
NOTE:
The KYE here is that we need to first find the number of columns we found. Based on that we need to construct the String finding query. Example these are 3 columns first null first column, 2nd null 2nd column, in place of 3rd null 3rd column we placed our string. (NULL, NULL, ‘a’)
Same way if we figure out there are 4 tables then add 4 nulls to probe those 4 columns (NULL, NULL, NULL, NULL).
' UNION SELECT 'a', NULL, NULL--
' UNION SELECT NULL, '3WP4t1', NULL--
' UNION SELECT NULL, NULL, 'a'--
note : Refer to Lab 3 for the example using the SQL database, like what and how we see these queries in database side.
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values.
When an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack.
The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2.
For aUNIONquery to work, two key requirements must be met:
The individual queries must return the same number of columns.
The data types in each column must be compatible between the individual queries.
To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. This generally involves figuring out:
How many columns are being returned from the original query?
Which columns returned from the original query are of a suitable data type to hold the results from the injected query?
Determining the number of columns required in an SQL injection UNION attack
When performing an SQL injection UNION attack, there are two effective methods to determine how many columns are being returned from the original query.
The first method involves injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs. For example, assuming the injection point is a quoted string within the WHERE clause of the original query, you would submit:
' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- etc.
This series of payloads modifies the original query to order the results by different columns in the result set. The column in an ORDER BY clause can be specified by its index, so you don’t need to know the names of any columns. When the specified column index exceeds the number of actual columns in the result set, the database returns an error, such as:
The ORDER BY position number 3 is out of range of the number of items in the select list.
The application might actually return the database error in its HTTP response, or it might return a generic error, or simply return no results. Provided you can detect some difference in the application’s response, you can infer how many columns are being returned from the query.
The second method involves submitting a series ofUNION SELECTpayloads specifying a different number of null
values:
' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- etc.
If the number of nulls does not match the number of columns, the database returns an error, such as:
All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.
Again, the application might actually return this error message, or might just return a generic error or no results. When the number of nulls matches the number of columns, the database returns an additional row in the result set, containing null values in each column. The effect on the resulting HTTP response depends on the application’s code. If you are lucky, you will see some additional content within the response, such as an extra row on an HTML table. Otherwise, the null values might trigger a different error, such as a NullPointerException. Worst case, the response might be indistinguishable from that which is caused by an incorrect number of nulls, making this method of determining the column count ineffective.
LAB
PRACTITIONER
Solution:
' UNION SELECT NULL, NULL, NULL---
Steps:
First load the page and go to one of the Category’s .
When an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack.
The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2.
For aUNIONquery to work, two key requirements must be met:
The individual queries must return the same number of columns.
The data types in each column must be compatible between the individual queries.
To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. This generally involves figuring out:
How many columns are being returned from the original query?
Which columns returned from the original query are of a suitable data type to hold the results from the injected query?
Determining the number of columns required in an SQL injection UNION attack
When performing an SQL injection UNION attack, there are two effective methods to determine how many columns are being returned from the original query.
The first method involves injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs. For example, assuming the injection point is a quoted string within the WHERE clause of the original query, you would submit:
' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- etc.
This series of payloads modifies the original query to order the results by different columns in the result set. The column in an ORDER BY clause can be specified by its index, so you don’t need to know the names of any columns. When the specified column index exceeds the number of actual columns in the result set, the database returns an error, such as:
The ORDER BY position number 3 is out of range of the number of items in the select list.
The application might actually return the database error in its HTTP response, or it might return a generic error, or simply return no results. Provided you can detect some difference in the application’s response, you can infer how many columns are being returned from the query.
The second method involves submitting a series ofUNION SELECTpayloads specifying a different number of null
values:
' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- etc.
If the number of nulls does not match the number of columns, the database returns an error, such as:
All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.
Again, the application might actually return this error message, or might just return a generic error or no results. When the number of nulls matches the number of columns, the database returns an additional row in the result set, containing null values in each column. The effect on the resulting HTTP response depends on the application’s code. If you are lucky, you will see some additional content within the response, such as an extra row on an HTML table. Otherwise, the null values might trigger a different error, such as a NullPointerException. Worst case, the response might be indistinguishable from that which is caused by an incorrect number of nulls, making this method of determining the column count ineffective.
Scroll Unlock 