Examining and listing the database contents with SQL injection attacks(UNION) on Oracle

This article is the writeup for Portswigger Academy's lab named "SQL injection attack, listing the database contents on Oracle"

Assuming that it is possible to do SQLi through one of the parameters(category parameter for this example); 2 conditions must be met for UNION attacks to be successful:

1. The individual queries must return the same number of columns.
2. The data types in each column must be compatible between the individual queries.

First, 'ORDER BY' can be used to find the number of columns. Example payloads:

• ' ORDER BY 2-- >> returns OK

• ' ORDER BY 3-- >> returns 500 - Server Error !

So we can say that there are 2 columns in first table. The second part of the UNION query must match with this. (first condition)

Now we can start experimenting with data types in these 2 fields.

Why is ORACLE different from other databases?

• On Oracle, every SELECT query must use the FROM keyword and specify a valid table. Although we do not have any information about the tables used by the application, we can use the built-in features of the database. There is a table on Oracle called dual which can be used for this purpose.

After determining the number of columns, we can use this payload to get information about their contents if there is a string type: '+UNION+SELECT+'m','m'+FROM+dual--

If we go a little further; when a query is sent with a category that does not normally exist, no results are returned from the left side of the UNION query, so we can only see the information we want as the content of the website. With this method, it is easier to examine the results. The new query is:

• ?category=hideleft'+UNION+SELECT+'m','m'+FROM+dual-- (note that there is no table called 'hideleft')

Since the server returns inputs without returning an error, we can verify the variable type of both columns.

The next step is to access the table names in the database. For this, we can use functions and keywords that work in ORACLE.

• '+UNION+SELECT+table_name,NULL+FROM+all_tables--

Lists the names of all tables in the DB. The target table can be found at this point.

Now, after the target table is found, the column names of this table can be queried and these columns can be used with SELECT to print the registered user information with a final query.

• '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_NOKWZY'-- >> returns the columns of USERS table

• '+UNION+SELECT+USERNAME_OZJUYV,+PASSWORD_OQWBFF+FROM+USERS_NOKWZY--

Thanks for reading, good luck.