Burp Suite User Forum

Login to post

Lab: SQL injection attack, listing the database contents on non-Oracle databases

Manny | Last updated: Sep 04, 2020 11:11AM UTC

I don’t seem to find the login details to complete the lab. Using ‘UNION SELECT COLUMN_NAME,NULL FROM Information_schema.columns WHERE TABLE_NAME =‘pg_user’— gave columns which were usename and passwd with other ones. So, when I used ‘UNION SELECT usename, passwd FROM pg_user , the username and password I got were postgres and ****** which when I tried using to login, did not work. Please any help?

Hannah, PortSwigger Agent | Last updated: Sep 04, 2020 11:41AM UTC

Try looking in a different table for your users. The solution gives a hint as to the formats of the different tables (for example, USERS_ABCDEF).

Manny | Last updated: Sep 04, 2020 12:54PM UTC

Ok. Thank you. I will try that now. Didn’t even know there were solutions lol. Never checked

Manny | Last updated: Sep 04, 2020 12:54PM UTC

Ok. Thank you. I will try that now. Didn’t even know there were solutions lol. Never checked

You need to Log in to post a reply. Or register here, for free.