Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.
Day 3 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.
Let’s Start:
Before you go for this blog, make sure to read the Previous one
Link to Second Blog: https://medium.com/@arayofhope7/sql-injection-vulnerability-allowing-login-bypass-post-method-9d219a201de7
Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.
What is an Oracle database?
Oracle Database is a relational database management system (RDBMS) developed by Oracle Corporation. It stores data in tables and allows querying using SQL (Structured Query Language).
Well, well, let’s learn some basics of Oracle’s internal tables
USER_TABLES: — Tables owned by the current user
ALL_TABLES: — Tables accessible to the current user
DBA_TABLES: — | All tables in the database (requires DBA privileges)
V$VERSION: — Displays the Oracle version information
V$INSTANCE: — Provides instance-specific information
Note: Oracle requires a FROM clause in every SELECT query.
- Most Important: Let’s say you’re trying to access a database, but you don’t know the name. How would you proceed then?
- In Oracle Database,
DUALis a special one-row, one-column table automatically created by Oracle in theSYSschema. - It’s used when you need to run a
SELECTstatement without querying any actual table, for example, when you're just evaluating expressions, calling functions, or testing. - As we know, Oracle requires a
FROMclause in everySELECTquery. So, when you don’t have a real table to select from, Oracle usesDUALa dummy table. - Every website using an Oracle database will have a dummy table named
DUAL. - Now that we have an understanding of Oracle Database, it’s important to note that it works similarly to SQL Injection; the only difference is the specific query you use to retrieve the data.
Note: The banner column is always present in the v$version view in Oracle by default
Let's Take an Example: Union Injection Payload: ‘ UNION SELECT banner FROM v$version
Note: We never use “ (double quote) in Oracle database, like when you are crafting a payload or trying to balance the equation, you would never use the double quote (“) ORDER BY 2 — —. Instead, you would use a single quote (‘) ORDER BY 2 — —
Here’s what the application looks like.
The lab question says to retrieve the database version details. Let’s try accessing the product category to check if we can find any parameters.
As we have a parameter now, let’s see if it is vulnerable to SQL Injection. We will try changing the value and see if it reflects or throws an internal server error.
As we can see, both the projection point and the error are present, which means this application is vulnerable to UNION and ERROR-based SQL Injection attacks. Here, we will proceed with UNION Injection. Since we now know that the parameter is vulnerable to SQL Injection, let’s intercept the data and start hunting.
Let’s send it to the Repeater.
This is what the response looks like.
Tried to balance the equation using ORDER BY 5-- and it threw an internal server error, which means the application has fewer than 5 columns.
This shows that the application doesn’t even have 3 columns. Let’s check if it has 2 columns.
Application returned a 200 OK response, which means it has 2 columns.
Now that we’ve successfully balanced the columns, let’s try performing UNION-based injections. Although we already know the application is using an Oracle database, we’ll still give it a try to see if SQL Server queries work or not.
Although it is not vulnerable to SQL UNION Injection using standard SQL Server payloads, that doesn’t mean it’s not vulnerable. Now, we’ll try using an Oracle-specific payload.
And there you go — we got the version details! For that, we used the following payload:' UNION SELECT banner, 'rayofhope' FROM v$version--