Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

LAB: SQL injection attack, listing the database contents on non-Oracle databases

Lucas | Last updated: Aug 23, 2022 08:33PM UTC

After finding the correct table which will be something like users_olvixu, when you do an injection like so: ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name = ' users_olvixu'-- The username and password column names are hidden. I'm not sure if this is intentional or not, but I almost gave up till I found the names in the BurpSuite repeater. The tables show up in the repeater, but not when viewing the source on the webpage.

Ben, PortSwigger Agent | Last updated: Aug 24, 2022 04:26PM UTC

Hi Lucas, I have just run through this lab and found that the columns were being displayed on the page (they were just mingled within the normal text on the page itself) - see the screenshot below: https://snipboard.io/sibkKE.jpg Are you not seeing any of the names being displayed at all anywhere on the page?

Lucas | Last updated: Aug 24, 2022 08:22PM UTC

I wasn't seeing that at all. I even viewed the source code. I'm using Firefox, but I will try with Chrome.

Lucas | Last updated: Aug 24, 2022 08:30PM UTC