05 - SQL injection attack, listing the database contents on non-Oracle databases
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
Given : Injection point (Product category)
End goal : Log in as the administrator user
At first we have to know that how many columns are there so that we can make a valid sql union query. As we know we can use order by to get the number of columns. If we try Order by 2, it gives 200OK :
but when we try order by 3, then it gives error :
That means there are two columns.
Now we have to know the name of the table in which the credentials can be stored. We can use the following query to get the table names t'+UNION+SELECT+null,table_name+from+information_schema.tables--
In the output it gives the name of tables :
We have the possible table name. which is users_clxmmb
Now we have to find the column names in which data is stored. We can use the following query to get the column names ft'+UNION+SELECT+column_name+null+from+information_schema.columns+where+table_name%3d'users_clxmmb'--
In output it gives all the column names :
Now we know the columns names and the table name so we can get the data within that column by using the query - it'+UNION+SELECT+username_vmtafv,password_iusfxk+from+users_clxmmb--
It gives all the usernames and passwords in the table.
Now go to my accounts and login with the administrator credentials
Lab solved :
