CTF-Writeups/Portswigger/SQLi-Labs/Lab6.md
2021-06-11 00:04:56 +05:00

49 lines
No EOL
1.7 KiB
Markdown

# Portswigger SQLi-Lab 6
## SQL injection attack, querying the database type and version on MySQL and Microsoft
This lab is similar to the lab#5 which invloved query version of oracle database , so this also involves the GET parameter `category` vulnerable to sqli
<img src="https://i.imgur.com/7ydvvXB.png"/>
<img src="https://i.imgur.com/BZBCH4a.png"/>
Here the blind sqli didn't work although I have it right but it's just not working so I launched burpsuite and intercepted the request and send it to burp repeater
<img src="https://i.imgur.com/ZwOu80C.png"/>
Now on your keyboard press `CTRL+R` this will send the request to brup repeater
<img src="https://i.imgur.com/Yl97L64.png"/>
<img src="https://i.imgur.com/V8TkIyI.png"/>
Our blind sqli works with burp don't know why but let's roll with it and identify the number of columns
<img src="https://i.imgur.com/L4zoLOm.png"/>
Notice that I used `--` , well in mysql both `#` and `--` works for comments but -- works if we supply a space afterwards that's why I included `+` which tells it's a space in url encoding
<img src="https://i.imgur.com/QsEg22D.png"/>
So second column exists as well , let's try for the third column
<img src="https://i.imgur.com/Sm8hPxj.png"/>
Here only 2 columns exists so now we can use union based sqli to know the version of mysql database
<img src="https://i.imgur.com/8pwEqu1.png"/>
With this we completed this lab
<img src="https://i.imgur.com/BNr1Jon.png"/>
In the end I noticed that all we wanted to do was to url encode our sqli payload
```sql
Accessories'+union+select+@@version,null+--+
```
<img src="https://i.imgur.com/Bvd35eo.png"/>
<img src="https://i.imgur.com/n28sR0V.png"/>