Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.
Day 6 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.
Let’s Start:
Before you go for this blog, make sure to read the Previous one
Link to Fourth Blog: https://arayofhope7.medium.com/sql-injection-attack-listing-the-database-contents-on-non-oracle-databases-portswigg-42fae517cc6e
Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.
What is an Oracle database?
Oracle Database is a relational database management system (RDBMS) developed by Oracle Corporation. It stores data in tables and allows querying using SQL (Structured Query Language).
Well, well, let’s learn some basics of Oracle’s internal tables
USER_TABLES: — Tables owned by the current user
ALL_TABLES: — Tables accessible to the current user
DBA_TABLES: — | All tables in the database (requires DBA privileges)
V$VERSION: — Displays the Oracle version information
V$INSTANCE: — Provides instance-specific information
Oracle SELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = ‘TABLE-NAME-HERE’
SELECT * FROM information_schema.tables
Here’s what the application looks like.
As we have a parameter now, let’s see if it is vulnerable to SQL Injection. We will try changing the value and see if it reflects or throws an internal server error.
Whatever input we provide in the parameter value gets reflected in the response, and it could be vulnerable to a UNION injection.
The HTTP request was intercepted using Burp and then forwarded to the repeater.
Single quote (‘) was used in the input, which resulted in a 500 Internal Server Error, indicating that the quote may have broken the SQL query.
After confirming that the application is vulnerable to SQL injection due to improper handling of single quotes (‘), we attempted to identify the number of columns using a UNION SELECT payload. When testing with 3 columns resulted in an error, it indicated that the original SQL query likely contains fewer than 3 columns.
Tried using ORDER BY 2, and it returned a 200 OK response, which indicates that the query has at least 2 columns
After determining the number of columns in the query, the next step is to identify the data types of each column, which is essential for crafting a successful UNION SELECT payload.
Used ' UNION SELECT 'ray', 'ray'--, and it returned an error, which suggests that in Oracle databases, a SELECT statement must reference a table.
Used ' UNION SELECT 'ray', 'ray' FROM dual--, and it returned a 200 OK response, which indicates that the columns accept data of type CHAR. DUAL is a special one-row, one-column virtual table available by default in every Oracle database.
Used ' UNION SELECT table_name, 'ray' FROM all_tables--, and it returned a 200 OK response. This indicates that the injection was successful. table_name is a default column in the all_tables view, which contains metadata about all tables accessible to the user in the Oracle database.
As a result of the successful query, we were able to extract user-table information from the database.
Used ' UNION SELECT column_name, 'ray' FROM all_tab_columns WHERE table_name = 'USERS_VHVEBS'--, and it returned a 200 OK response. Here, column_name is a default column in Oracle, and the all_tab_columns view returned all the columns associated with the specified table.
The response revealed the column names USERNAME_SGSWAR and PASSWORD_RXEPJO, indicating that the USERS_VHVEBS table stores sensitive user credentials such as usernames and passwords.
Used ' UNION SELECT USERNAME_SGSWAR, PASSWORD_RXEPJO FROM USERS_VHVEBS--, and it returned all the user information from the USERS_VHVEBS table.
There we go, we now have the admin account and its password.