SQL injection attack, querying the database type and version on MySQL and Microsoft

In this post we will walk through step by step through how to solve SQL injection attack, querying the database type and version on MySQL and Microsoft on PortSwigger. This lab’s difficulty is Practitioner and it is the fourth lab in the SQL Injection labs on Portswigger. Our objective is to display the database version.

Link to lab: https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft

To begin the lab we need to click the Access the Lab button. Burp Suite Community Edition is all we need to solve this lab.

As we begin the lab we encounter a shop page showcasing various categories. It’s worth noting that the categories may differ from the screenshot as PortSwigger Labs can vary the content with each lab session.

 

When we click on the ‘Accessories’ page we’re greeted with two distinct sections of text. The first section serves as the header, while the second section constitutes the body of the content.

Using Burp Suite we can send this Gifts GET request to Repeater to analyze. This will allow us to send one request at a time to analyze HTTP Responses.

When we insert a single quote into the ‘category’ parameter the application responds with a 500 Internal Server Error. This error indicates that the server was unable to process the input and the single quote appears to have caused a breakdown in the application. This strongly suggests that we have identified a potential injection point for SQL Injection.

When we insert a second quote into the ‘category’ parameter the application responds with a 200 OK Response. This strongly suggests that we have identified a potential injection point for SQL Injection.

Our next step involves identifying the number of columns within the database table. We can achieve this by carefully analyzing the HTTP Responses and using an ‘order by’ clause. This technique entails crafting payloads with ‘order by <number>’ and incrementing the number to determine the exact count of columns in the database table.

When an ‘order by’ statement returns a result less than or equal to the actual number of columns we should observe a 200 HTTP response code. If the ‘order by’ statement exceeds the number of columns the response will typically be a 500 Internal Server Error. This process will help us determine the correct number of columns to proceed with our SQL Injection.

With the server returning a 500 with order by 3 we can determine the correct number of columns in the table is 2.

GET /filter?category=Accessories'+order+by+2--+-

To assist us in retrieving data from the page we can employ a union clause with the following payload: ‘ union select null, null– –

Get /filter?category=Accessories'+union+select+null,null+--+-

Let’s break what we have so far:

  1. The single quote serves to disrupt the normal SQL statement flow.
  2. The ‘union’ clause enables us to combine SQL statements, granting us the ability to construct our own SQL statement to extract information from the database.
  3. The ‘null, null’ segments serve as placeholders for our union clause and plays a vital role in reflecting data retrieved from the database. We use two ‘null’ values here because they align with the number of columns present in the database table.

Our next and final step is to obtain the version of the database.

Here is the PortSwigger SQL Injection Cheatsheet. We can use this to help us select the function needed to obtain the database version.

Get /filter?category=Accessories'+union+select+null,+version()--+-

After sending the payload the MySQL version is displayed on the web page.

Having successfully retrieved the MySQL version from the database we have accomplished our goal and solved the lab!

That completes the room! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod