Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

presumable bug in lab - SQL injection attack, listing the database contents on Oracle

Gergely | Last updated: Apr 05, 2020 09:18PM UTC

Hi, I'm doing the lab - mentioned in the subject, and I think I found a bug. If I list the tables from the databases I got a huge list, but I can't list the content of any of the tables. I used this url to get the credentials: https://ace31f311f9ae82c80415f00003500ea.web-security-academy.net/filter?category=Food+%26+Drink'+UNION+SELECT+NAME,+PASSWORD+FROM+USER$-- I've successfully done the other lab with non-Oracle db before, so the same logic has to be work here as well, but I've stuck because of this technical issue. Please let me know that I missed something or the issue is real. Thanks, Gergely

Ben, PortSwigger Agent | Last updated: Apr 06, 2020 09:09AM UTC

Hi, Are you using Burp to deliver the payloads or are you trying to type them directly into the address bar of your browser? As noted in the solution to the lab, the recommendation is to use Burp to intercept and then modify the requests that you are making.

mithrindel | Last updated: May 27, 2020 10:23PM UTC

Hi, I have the same issue, I tried using Burp to intercept but still getting "Internal Server Error"... any hints?

Ben, PortSwigger Agent | Last updated: May 28, 2020 08:44AM UTC

Hi, What payload are you trying to use?

mithrindel | Last updated: May 29, 2020 01:07AM UTC

'+UNION+SELECT+NAME,+PASSWORD+FROM+USER$-- Same situation as OP actually, successfully completed the other non-Oracle lab and all steps of this lab except for the very last one I tried other columns like EXT_USERNAME and USER#, tried encoding special characters, but I keep getting the "Internal Server Error" message, not sure what I'm missing..

Ben, PortSwigger Agent | Last updated: May 29, 2020 09:04AM UTC

Hi, Your final payload should look something like this, where the USERNAME_WYHWMS and PASSWORD_GQSMYQ are the column names that are in the USERS_YMQREF table that you have previously verified to contain the credentials: '+UNION+SELECT+USERNAME_WYHWMS,+PASSWORD_GQSMYQ+FROM+USERS_YMQREF-- These are randomly generated in each lab so you need to find out what they are in your particular lab. I have just done a quick run through of the lab and was able to successfully solve it using the provided solution.

mithrindel | Last updated: May 29, 2020 06:13PM UTC

Got it now, thank you. I guess my mistake was a the previous step when getting the name for the USERS_XXXXX table. I did look for it specifically just as I did for the non-Oracle lab, but I could swear it didn't show up before - or sth wrong with my eyes. Anyway, thanks for the support!

Sandeep | Last updated: Mar 21, 2021 02:05PM UTC

Hi, Spent some long time on this one and not getting to do the last step. This is payload decoded form I am sending through repeater:- ' union SELECT NAME,PASSWORD from USER$ -- This is the string in HTML encoding:- '%20union%20SELECT%20NAME%2cPASSWORD%20from%20%20USER%24%20-- I am not sure what I am missing :-) If someone can help will be great. Using Burp repeater to fire various requests.

Ben, PortSwigger Agent | Last updated: Mar 22, 2021 08:19AM UTC

Hi,

Are you sure that you are using the correct column and table names for this final payload (you should have found the appropriate column and table names in the previous steps of this lab)?

Sandeep | Last updated: Mar 23, 2021 06:56AM UTC

Hi, I am getting the tables names as below:- User$ USER_HISTORY$ and bunch of other tables which I think are not relevant. I run Burp with payload as below :- Lifestyle' UNION SELECT column_name,DATA_TYPE FROM all_tab_columns WHERE table_name='USER$'-- Ang get many columns with data types out of which Name and Password are the relevant ones I suppose. </tr> <tr> <th>NAME</th> <td>VARCHAR2</td> </tr> <tr> <th>PASSWORD</th> <td>VARCHAR2</td> </tr> <tr> <th>PTIME</th> <td>DATE</td> </tr> Finally I get internal server error even when I run payload as below :- Lifestyle' UNION SELECT NAME,PASSWORD from USER$-- Have done this like 10 times yet keep getting the same error :-( Please help.

Ben, PortSwigger Agent | Last updated: Mar 23, 2021 08:25AM UTC

Hi,

The actual user table that you are interested in is in the format USERS_ABCDEF (where the ABCDEF part is randomly generated and needs to be found for each specific lab). I would suggest you go back and look for this table first before then finding the column names containing the usernames and passwords (which will also be in similar format to the table name).

The solution provided gives you instructions on how to do this if you are stuck.

Sandeep | Last updated: Mar 23, 2021 11:28AM UTC

Hi, Thanks much @Ben. Was able to solve this finally. Now I get that there can be multiple User tables with similar columns and one must try all the ones which are candidates. Many thanks again !!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.