SQL Injection Attack, Querying the Database Type and Version on MySQL and Microsoft

Welcome back!

Lab description: This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

To solve the lab, display the database version string.

Hint: You can find some useful payloads on their SQL injection cheat sheet.NOTE: I will be using Burpsuite Community Edition to help complete this lab, so you may want to have that up and running. If you’re not sure what Burp is or how to use it, check out this tutorial: Burpsuite Basics (FREE Community Edition) by John Hammond.

This lab is solved in a manner very similar to the previous one. However, this time, we know the database is either Microsoft SQL Server or MySQL.

The key difference lies in the syntax of the queries we use. In real-world scenarios, we may not know in advance what type of database we are dealing with. We can deduce this information by observing how the server responds to the queries we send.

With Burp Suite running, access the lab, and you will be brought to our vulnerable shopping page. The vulnerability will be in the product category filter so pick any one. Given the choice, I always choose ‘Pets’.

After clicking on your choice, head over to Burp and find your filter in the site map on the left hand side. Right-click and select ‘Send to Repeater’.

First, we need to verify that the server is vulnerable to SQL injection (SQLi). Burp’s Repeater is an excellent tool for this, as it allows us to send multiple requests and analyze their responses efficiently.

In Burp Repeater, alter your GET request by adding a single quote (‘), directly following your filter and click ‘Send’.

The 500 response from the server is letting us know that the server is not processing the addition of the single quote correctly, potentially making this site vulnerable to a SQLi attack.

We will use a UNION SELECT query to determine the database version. For the UNION query to succeed, two requirements must be met:

The number of columns must be the same.The data types of each column must match.

If these conditions are not met, the query will fail. In the previous lab, we used the ORDER BY clause to determine the number of columns by observing the server’s responses to these queries:

-- Testing for # of columns in last lab
' ORDER BY 1 -- gave a 200 response
' ORDER BY 2 -- gave a 200 response
' ORDER BY 3 -- gave a 500 response

Let’s start by trying the same ORDER BY clauses to see if they work. In Burp add the first ORDER BY query directly following your filter. Do not forget to highlight and URL encode your payload with ‘Ctrl+u’ and click ‘Send’.

It did not work. But why? Let’s take a look at the provided cheat sheet.

This is where the syntax of our queries becomes important. Sometimes, when a query doesn’t work, it’s still providing us with valuable information.

Our initial payload would have worked if this were an Oracle, Microsoft, or PostgreSQL database. However, if you encode an extra space at the end of the payload and send it, the server will respond with a 200 status, indicating success.

Let’s try the pound sign (#) to end our request. That is also specific to a MySQL database.

-- Payload
' ORDER BY 1#
-- Payload Encoded
'+ORDER+BY+1%23

Alter your GET request in Burp Repeater by adding our ORDER BY payload directly after your filter and click ‘Send’.

It worked. We got a 200 response so we know there is one column AND that we are working with a MySQL database.

Let’s see about two columns. Change to ‘1’ to a ‘2’ and click ‘Send’. You should also get a 200 response indicating that there are two columns.

What about three columns?

It did not work. We got a 500 response from the server telling us that there is not a third column. Only two.

We figured out how many columns we are dealing with, but what about the data types. Looking at the shopping page, we can see it is just giving us a list of product and the product’s description. The data type should be text strings.

Let’s verify that by injecting some words onto the site page with the UNION SELECT query. Feel free to change the string to whatever you like.

-- Payload
' UNION SELECT 'Marduk','James'#
-- Encoded payload
'+UNION+SELECT+'Marduk','James'%23

Replace your ORDER BY payload with our new UNION SELECT payload in Burp Repeater and click ‘Send’.

It worked. We get a 200 response. You can click ‘Render’ in Burp or copy and paste the URL into your browser to view the results.

Success. The UNION SELECT attack has injected our text strings onto the web page.

Knowing our UNION SELECT attack is working correctly, all that is left is to replace one of the columns, ‘Marduk’, with the appropriate query from the provided cheat sheet.

Your final payload should look like the following:

-- Payload
' UNION SELECT @@version,'James'#
-- Encoded payload
'+UNION+SELECT+%40%40version,'James'%23

Replace your payload in Burp Repeater and click ‘Send’.

It worked! You should have had a ‘Congratulations’ pop up on the page. You can view the results by rendering the page in Burp or copy and pasting the URL into your browser.

Scroll down to view the version.

Congratulations! You solved another one! Keep up the great work!

See you next time!