Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

LAB: SQL injection attack, listing the database contents on non-Oracle databases

Lucas | Last updated: Aug 23, 2022 08:33PM UTC

After finding the correct table which will be something like users_olvixu, when you do an injection like so: ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name = ' users_olvixu'-- The username and password column names are hidden. I'm not sure if this is intentional or not, but I almost gave up till I found the names in the BurpSuite repeater. The tables show up in the repeater, but not when viewing the source on the webpage.

Ben, PortSwigger Agent | Last updated: Aug 24, 2022 04:26PM UTC

Hi Lucas, I have just run through this lab and found that the columns were being displayed on the page (they were just mingled within the normal text on the page itself) - see the screenshot below: https://snipboard.io/sibkKE.jpg Are you not seeing any of the names being displayed at all anywhere on the page?

Lucas | Last updated: Aug 24, 2022 08:22PM UTC

I wasn't seeing that at all. I even viewed the source code. I'm using Firefox, but I will try with Chrome.

Lucas | Last updated: Aug 24, 2022 08:30PM UTC

I tried Firefox again and I can see them now... I have no idea what happened there. Probably my fault

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.