Burp Suite User Forum

Create new post

Lab: SQL injection attack, querying the database type and version on Oracle

I | Last updated: Sep 04, 2023 06:45PM UTC

Hello there, I don't know if this legal but I'm going to write exactly what I did and the error I encountered (It doesn't say I have solved the lab). So I determined the number of columns required for the Query and determined which one is of the string data type. Having done that, I queried the database and retrieved the string (database type and version on Oracle) and it returned successfully in the application response. However it doesn't say I have solved the lab. The following is/are the commands I used which will reproduce the error I faced: 'UNION SELECT 'Oracle Database 11g Express Edition Release - 64bit Production, PL/SQL Release - Production, CORE Production, TNS for Linux: Version - Production, NLSRTL Version - Production', NULL FROM dual --

Ben, PortSwigger Agent | Last updated: Sep 05, 2023 09:05AM UTC

Hi, What you are seeing being displayed on the page is simply the query that you are running - to solve the lab you need to actually run a query that returns the database version information from the database itself (the solution and the SQL Injection cheat sheet run through this in more detail).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.