Solving Portswigger Academy: SQL injection attack, listing the database contents on non-Oracle databases
In this lab our task is to extract the data from the database specifically the password for user administrator.
When we access the lab, we see various categories.Let’s select the Gifts and test it for SQLi.
When we use single quote we get the 500 Internal Server Error.
When two single quotes are used, th e response changed to 200 OK. This confirms SQLi.
Now we need to find the number of columns and which columns will help us to extract data.
Order By clause help us to find the number of columns and these are 2.
Now will find the column/s which help to display data.
We can use both columns to extract data.Let’s first find tables in database.
Payload: Gifts’+UNION+ALL+SELECT+table_name,+null+FROM+information_schema.tables+ — +
We have the users table called as ‘users_epofwa’. Let’s find the columns in this table.
Payload: Gifts’+UNION+ALL+SELECT+column_name,+null+FROM+information_schema.columns+WHERE+table_name=’users_epofwa’+ — +
Now we need to find fetch the data from the columns username_amynwl and password_wrhrmn.
Payload: Gifts’+UNION+ALL+SELECT+username_amynwl,password_wrhrmn+FROM+users_epofwa+ — +
Now we have the username and password for admin, lets login.
