Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

Day 5 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let’s Start:

Before you go for this blog, make sure to read the Previous one
Link to Fourth Blog: https://arayofhope7.medium.com/sql-injection-attack-querying-the-database-type-and-version-on-mysql-and-microsoft-85081e7eef71

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

The lab states that it is not an Oracle database, which means it could be either MySQL, MSSQL, or PostgreSQL.

• In this case, it turns out to be a PostgreSQL database, and you’ll see why by the end of this blog.
• Since it’s a PostgreSQL database, there are a few important details we need to keep in mind.

Note:

When you’re unsure about the core database, it’s a good idea to test payloads from different database types; one of them might trigger a response.

Microsoft SQL Server: SELECT @@version

PostgreSQL: SELECT version()

MySQL: SELECT @@version

In PostgreSQL, "information_schema.tables" is commonly used to enumerate available tables within the database.

PostgreSQL, information_schema.tables includes:

• table_catalog (Name of the database containing the table (always the current database)
• table_schema (Name of the schema containing the table, like public, pg_catalog, etc.)
• table_name (Name of the Table)
• table_type (e.g., 'BASE TABLE', 'VIEW')
• column_name(Name of the column)

Here’s what the application looks like.

Try to find the parameter

We identified that there is a parameter called category With the value gift.

We can see that whatever value we are providing is getting projected, which probably means it is vulnerable to Union-based SQL injection.

The request was intercepted and forwarded to the Repeater tool to log and analyze the request and response times.

Injecting a single quote (') caused an internal server error, indicating that the input may interfere with the SQL query structure, potentially due to insufficient input sanitization.

Used ' ORDER BY 3 -- and the application responded with an internal server error, which likely means the table doesn't have 3 columns. Let's try using 2 instead.

And it returned a 200 OK response, which means the query executed successfully, indicating that the table has 2 columns

Tried to identify the datatype, and it is a character.

We can see that it is not a numeric type.

The reason for using table_name and information_schema.tables is based on the understanding that information_schema is a built-in database schema in most SQL systems (like MySQL and PostgreSQL) that stores metadata about the database structure. The tables table specifically contains information about all existing tables, and the table_name column lists their names.

And we received the user table (users_palrcr) in the response, which confirms that the table exists in the database.

Used ‘ union select column_name, ‘rayofhope’ from information_schema.columns where table_name=’users_palrcr’ — — and it returned 200 OK

The response also revealed sensitive data, specifically a password field with the value password_hlbiqz

We do get the user details.

Used a simple UNION query to retrieve data related to the username and password: ' UNION SELECT username_aiyuin, password_hlbiqz FROM users_palrcr -- and it returned a 200 OK response.

In the response, we obtained the administrator username and password: mh7x73ezh0ymtucxc65h.