SQL injection attack, querying the database type and version on MySQL and Microsoft

Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

Day 4 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let’s Start:

Before you go for this blog, make sure to read the Previous one
Link to Third Blog: https://medium.com/@arayofhope7/sql-injection-attack-querying-the-database-type-and-version-on-oracle-portswigger-904487db7d3d

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

What is a MySQL database?

MySQL is an open-source relational database management system (RDBMS). It allows you to store, organize, and retrieve data efficiently using SQL (Structured Query Language).

Note: MySQL Command

SELECT @@version — to gather version details
SELECT user(); or select currunt_user():-to find out the current user

To comment out, we can use:
-- - (Double Dash with Dash)
-- (Double Dash)
# (Hash)

Here’s what the application looks like.

Explore the application to check if there are any parameters. We found one parameter with the value Accessories.

Let’s see if there are any projection points or not.

The input provided is being directly projected into the query, indicating a potential vulnerability to Union-based SQL injection attacks. Let’s intercept the request and see if we can exploit it.

The data was intercepted. Let's send it to the repeater.

Tried to break the query by providing a single quote ('), and it resulted in an internal server error. This indicates that the input is interacting directly with the database.

Tried injecting a double quote ("), but it didn't throw any error, indicating that the application likely doesn't use double quotes for string delimitation in the SQL query.

Tried to determine the number of columns, but it threw an error. It seems like the application is validating or filtering out the commenting part (--).

Used (#) to see if it gives a 200 OK response, which indicates that the application has 2 columns.

Used ' UNION SELECT 1, 1# to find the data types, and it returned a 200 OK response. (Why did I use # you should know by now)

Both columns are visible in the response.

Since we know the data types, let’s go ahead and find the version details. In MySQL, we can use @@version to retrieve the database version.

Version details are successfully retrieved and visible in the response.