Skip to main content

🗂️PortSwigger Lab Writeup: SQL Injection Attack - Querying the Database type and version on MySQL and Microsoft

Lab overview for SQL Injection to extract MySQL or Microsoft SQL Server version

🎯 Objective

The objective of this lab is to exploit a Union-based SQL injection vulnerability in a web application where the application executes a SQL query with user-supplied input in unsafe way to filter the products and our goal is to query the database version of a MySQL or Microsoft database.

💉 Payloads Used

1. For determining no of columns :-

  • Payload 1 - ✅
Lifestyle'+UNION+SELECT+NULL,NULL-- -

2. For determining database version :-

  • Payload 2 - ✅
Lifestyle'+UNION+SELECT+NULL,@@version-- -

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Target e-commerce website interface showing filter categories
  • At first glance, the website seems to be a shopping website with an option to filter products on different categories. In the lab description, it is mentioned that the vulnerability is in the filter parameter which is being used directly in a SQL query.

🔍Step 2: Find the Vulnerable Endpoint

  • Click on any one of the filter to see how website behaves and where the filter parameter is passed to server. URL with vulnerable filter parameter used for SQL injection
  • Here, the site filters the products by supplying the category name in URL - /filter?category=...

🚀Step 3: Inject the Payload

  • Based on my initial observation of the website, it seems that the application is returning two columns and both of string datatype, but still we will verify the the no of columns by using payload - Lifestyle'+UNION+SELECT+NULL,NULL-- -
    info

    On MySQL databases, the format for comment is -- -, where there is two - and a space just after that.

    Successful injection using UNION SELECT with NULLs to determine column count
  • Hence, it is confirmed that the application is returning two columns and both are of string datatype.
  • Now, we will enumerate the database version by using payload - Lifestyle'+UNION+SELECT+NULL,@@version-- - Database version extracted using UNION SQL injection with @@version payload
  • And💥Booom!, We were able to retrieve the database version. Final lab confirmation screen after successful SQL injection exploit
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab involves a basic case of SQL injection vulnerability, where the category parameter is used to filter products where the application directly concatenates the user-supplied category in the SQL query to fetch only the relevant products.
  • Since the application neither validates the user-input nor uses prepared statement, an attacker can manipulate the SQL query by injecting any arbitrary SQL commands to gain full access of the database.
  • By injecting Lifestyle'+UNION+SELECT+NULL,@@version-- - in the category parameter, we are able to retrieve the version of MySQL database.