Skip to main content

🗂️PortSwigger Lab Writeup: SQL Injection Attack - Querying the Database type and version on Oracle

Lab introduction page for SQL Injection to retrieve Oracle database version

🎯 Objective

The objective of this lab is to exploit a Union-based SQL injection vulnerability in a web application where the application executes a SQL query with user-supplied input in unsafe way to filter the products and our goal is to query the database version of a Oracle database.

💉 Payloads Used

1. For determining no of columns :-

  • Payload 1 - ✅
Pets'+UNION+SELECT+NULL,NULL+FROM+dual--

2. For determining database version :-

  • Payload 2 - ✅
Pets'+UNION+SELECT+NULL,banner+FROM+v$version--

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Target web application homepage with product filter categories
  • At first glance, the website seems to be a shopping website with an option to filter products on different categories. In the lab description, it is mentioned that the vulnerability is in the filter parameter which is being used directly in a SQL query.

🔍Step 2: Find the Vulnerable Endpoint

  • Click on any one of the filter to see how website behaves and where the filter parameter is passed to server. Filter parameter visible in URL indicating injection point
  • Here, the site filters the products by supplying the category name in URL - /filter?category=...

🚀Step 3: Inject the Payload

  • Based on my initial observation of the website, it seems that the application is returning two columns and both of string datatype, but still we will verify the the no of columns by using payload - Pets'+UNION+SELECT+NULL,NULL+FROM+dual--
    info

    On Oracle databases, every SELECT statement must specify a table to select FROM. If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name.
    There is a built-in table on Oracle called dual which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual

    Successful response after injecting payload with dual table in Oracle
  • Hence, it is confirmed that the application is returning two columns and both are of string datatype.
  • Now, we will enumerate the database version by using payload - Pets'+UNION+SELECT+NULL,banner+FROM+v$version-- Database version details displayed in web page confirming injection success
  • And💥Booom!, We were able to retrieve the database version. Portswigger Lab Solved Banner
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab involves a basic case of SQL injection vulnerability, where the category parameter is used to filter products where the application directly concatenates the user-supplied category in the SQL query to fetch only the relevant products.
  • Since the application neither validates the user-input nor uses prepared statement, an attacker can manipulate the SQL query by injecting any arbitrary SQL commands to gain full access of the database.
  • By injecting Pets'+UNION+SELECT+NULL,banner+FROM+v$version-- in the category parameter, we are able to retrieve the version of Oracle database.