SQL Injection - Lab #7 SQL injection attack, querying the database type and version on Oracle

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome back to another video in the web security academy series in today's video we'll be using a union-based sql injection attack to query the database type and version on oracle databases all right let's get started this lamp contains a sql injection vulnerability in the product category filter so we've got sql injection and it's in the product category filter you can use a union attack to retrieve the results from an injected query to solve the lab display the database version string so the end goal is to display the database version string all right and they give us a hint over here we're not going to look at it just yet let's access the lab we'll add an analysis section okay so it says make the database retrieve the string that is displayed on the screen so the version of the oracle database all right so if we look at the application it's the same or at least similar shopping application that we've been dealing with in the previous labs if we click on gifts so the category gifts it refines our search on the items that are related to the gifts category and we can see over here that the category parameter is included in the url and that's the field that is vulnerable based on the description of the lab so to confirm that it is vulnerable i'm gonna add a sql character a single quote that will result in a syntax error which should result in an internal server error at the application level and it does okay so this looks like it's vulnerable to sql injection now whatever we enter in this field over here gets displayed on the page and that's why we can use a union based sql injection to exploit this vulnerability and to do that we said there is two steps that you need to do before you can output data from the database and the first one is to determine the number of columns that the vulnerable query is using now i can tell there has to be at least two columns because you could see over here each item has two entries one is the title of the item and then the description of the item so my assumption is there's two columns but there could be other columns that are not displayed on the page and that's why we have to test for that and the way we do that is by using this payload over here so order by and the column number so when we order by a column it should order the column on the page and if we try to order by a column that does not exist it should throw an internal server error so we know there's at least one column because we can see it on the page and so this should give us a 200 response code okay so let's do that using burp and for those of you that are not familiar this is pretty much a man in the middle proxy that sits between the browser and the application and any requests that happen through the browser get sent to birth first before they get sent to the application and any responses from the application get sent to burp first before they're sent back to the browser all right let's put this over here and click on the proxy tab so you'll see over here it's localhost 8080 and i'm going to use my foxy proxy extension to set it to send requests to burp all right and i'm going to click on gifts one more time and you'll see over here it intercepted the request now since i'm going to be sending multiple requests i'm going to send it to repeater and i'm going to work from there okay so let's turn off the proxy and go back to repeater all right so let's copy our payload and then do control u to url encoded hit send and we get a 200 response codes confirming that we have at least one column now if we do two and hit send we also get a 200 response code confirming that we have at least two columns now let's try with three and we get an internal server error so let's write that down what that means is that we're trying to order by a column that does not exist and since we did this iteratively that means that the number of columns that is used by the vulnerable query is three minus one which is equal to two all right the second thing to do in a union-based sql injection attack is to determine the data types of the columns and we said we do that using a union select null query so we know there's two columns and what we're going to do is we're going to test each one using and a text value or a string and if the data type of this column is not compatible with the data type of the column that is used to filter on category it should throw an error telling us that this column is not of type string and if we don't get an error that means that the column is also of type string now if we go back to the application you could see over here both columns contain alphabets and so they're both of type string but let's test it out regardless just in case so i'm going to put both of them because my assumption is that both of them are of type string based on what we see in the browser okay again we need to url encode it send and i think we messed something up so let me do this one more time okay let's copy it and we're missing a quote and then ctrl u to url encoded and hit send okay so we're getting an internal server error again which makes me think that this is an oracle database and i'll explain why in a second so i should have known that based on just the lab description it says querying the database type and version on oracle but i didn't read that properly and the reason i think that this is an oracle database is because i know for sure that these two columns are of type text based on the browser over here however this still gave me an internal server error which does not make sense and so what i'm going to do is i'm going to search oracle select statement let's click on this entry over here okay so it defines over here how you perform a select statement in oracle databases so it says select the number of columns from the table name you go down over here and click on oracle dual table you'll notice over here that it says in oracle the select statement must have a from clause however some queries don't require any table so in this scenario over here we don't have a from clause and that's why this filled now i don't know the tables that i want to extract from and this is just me putting strings in the columns and so i need some dummy table to use in the from clause in order to be able to confirm the data types of the columns and over here you'll see that it says oracle provides you with a dual table which is a special table that belongs to the schema of the user sys but it is accessible to all users and so you could use it in scenarios like this where the data that you're outputting is not actually coming from a table so let's try this over here and then we'll do control u to url encode it hit send and we get a 200 response so now we know for sure that this is an oracle database and then if you go down you should see a and a so the content being outputted on the page all right so those are the first two steps in a union-based sql injection the next thing to do is to output the version of the database okay and to do that we're gonna go back to the exercise and look at the hints section because there you'll find a sql injection cheat sheet which tells you what the command is for outputting the version on each type of database so if you go down and then in the section database version it tells you how to output the database version when it comes to oracle databases when it comes to microsoft databases when it comes to mysql databases and so on so we're looking for this one over here since we know it's oracle based on the fact that it through an internal server error when we didn't enter a table name so the command is over here okay but we have to put that in our union based sql injection attack so it would be union select the banner and then over here it's still two columns so we still have to put a value so null in the second column and then we're going to say from the dollar sign version and then the comment characters and let's copy that and put it over here and then again you need to url encode it that's ctrl u hit send and we get a 200 response code okay so let's go down and see if we actually outputted the version okay let's make that a little bit bigger so you'll see over here it started opening the content and the exact version we're looking for is this one over here so oracle database 11g express edition release and so on and if we go back to the page it should say congratulations you've solved the lab all right so we've successfully completed the exercise if you would like to see a detailed version of the video where we both exploit the vulnerability manually and then script it in python check out the video linked on the screen also make sure to hit the subscribe and share button so that the video reaches a wider audience thank you and see you in the next video

Info

Channel: Rana Khalil

Views: 33,967

Rating: undefined out of 5

Keywords: security, web security, owasp, open web application security project, sqli, sql injection, portswigger, web security academy, python, offensive security, bug bounty, scripting, burp, burp suite, oswe, offensive security web expert

Id: s0dFU2dKAKU

Channel Id: undefined

Length: 12min 34sec (754 seconds)

Published: Sun Apr 18 2021