SQL Injection - Lab #7 SQL injection attack, querying the database type and version on Oracle
Summary
TLDRIn this video, the presenter demonstrates how to exploit a union-based SQL injection vulnerability in a web application to retrieve the version of an Oracle database. The process involves identifying the vulnerability, determining the number of columns in the query, and confirming the data types before extracting the database version using a specific SQL command. The tutorial uses Burp Suite for intercepting requests, guiding viewers through the attack steps and explaining the reasoning behind each move. By the end, viewers learn to manually execute the SQL injection and retrieve critical information from the database.
Takeaways
- π SQL injection is a common vulnerability in web applications, and the focus of this tutorial is on exploiting union-based SQL injection to extract data from an Oracle database.
- π The goal of the lab is to retrieve the version string of the Oracle database using a union-based SQL injection attack.
- π The vulnerable part of the application is the 'product category' filter in the URL, which is susceptible to SQL injection.
- π To confirm the vulnerability, the first step is to inject a single quote (') into the 'category' field, which results in a syntax error and confirms the presence of SQL injection.
- π The next step in a union-based SQL injection attack is determining the number of columns the vulnerable query uses. This is done by sending 'order by' queries and checking the response for errors.
- π Once the number of columns is identified, the attacker needs to determine the data types of the columns by using a 'union select' query with null values, checking for any errors.
- π The database version string can be retrieved by crafting a specific 'union select' query, utilizing the Oracle-specific 'dual' table to bypass the need for a target table.
- π The Oracle-specific SQL syntax is explained, particularly the use of the 'dual' table to make queries work in situations where a table isnβt explicitly involved.
- π The union-based SQL injection attack is successful once the attacker can output the database version string, confirming the vulnerability exploitation.
- π The process is demonstrated using Burp Suite, a popular web application proxy, to intercept and manipulate requests during the SQL injection attack.
- π The lab concludes by revealing the Oracle database version, and the tutorial emphasizes the importance of understanding the basics of SQL injection and how it can be exploited.
Q & A
What is the goal of this video?
-The goal of the video is to demonstrate how to exploit a union-based SQL injection vulnerability in order to retrieve the database version string from an Oracle database.
What is SQL injection, and how is it relevant in this scenario?
-SQL injection is a code injection technique where malicious SQL statements are executed to manipulate or extract data from a database. In this scenario, the product category filter on a shopping application is vulnerable to SQL injection, allowing an attacker to retrieve sensitive information like the database version.
How do you confirm if a SQL injection vulnerability exists in the application?
-You can confirm the presence of a SQL injection vulnerability by adding a single quote (`'`) to the URL parameter, which triggers a syntax error. If the application responds with an internal server error, it suggests the presence of SQL injection.
What is the purpose of determining the number of columns in a union-based SQL injection?
-Determining the number of columns in the query is necessary to ensure that the injected query has the same number of columns as the original query. This allows the attacker to properly structure the `UNION` statement and extract data without errors.
How can you determine the number of columns used by the vulnerable query?
-The number of columns used in the vulnerable query can be determined by incrementally using the `ORDER BY` clause with different column numbers. When the query returns an internal server error, the column number is identified as one less than the value that caused the error.
What is the significance of the error message when testing column numbers?
-The error message helps to identify the maximum number of columns the vulnerable query can handle. If an internal server error occurs when testing a certain column number, it means that the query only supports one fewer column.
Why is it necessary to test the data types of the columns during a union-based SQL injection?
-Testing the data types of the columns ensures that the injected query matches the expected data type for each column. If the data type is incompatible, the query will fail, which could prevent successful exploitation.
How did the attacker determine that the database was running Oracle?
-The attacker deduced that the database was Oracle after receiving an internal server error when testing the column data types. This behavior is specific to Oracle databases, which require a `FROM` clause even when no table is needed, as indicated by Oracle's `DUAL` table.
What is the `DUAL` table in Oracle databases, and why is it important in SQL injection attacks?
-The `DUAL` table is a special table in Oracle that allows queries to return a single row of data without requiring a specific table. It is used in scenarios like SQL injection attacks when no actual table is referenced but a query still needs to be executed.
What SQL command is used to retrieve the database version in Oracle, and how is it used in this context?
-The SQL command to retrieve the Oracle database version is `UNION SELECT banner FROM v$version;`. This command is injected into the vulnerable query to output the version string, confirming the Oracle database version.
What additional resources are suggested for viewers who want to see a more detailed demonstration?
-Viewers are encouraged to watch the detailed video linked in the description, where both the manual exploitation of the vulnerability and scripting the attack in Python are covered.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade Now
5.0 / 5 (0 votes)
