Lab 6: SQL injection attack, listing the database contents on Oracle

Introduction

This lab demonstrates a practical SQL injection attack against an Oracle-backed application. Using Burp Suite, I identified an injectable product category filter, confirmed the query structure with UNION-based payloads against the Oracle dual table, enumerated accessible tables and columns via all_tables and all_tab_columns, extracted credential data, and used the findings to gain administrative access.


Attack Methodology

  • Identify and Intercept: I identified a product category filter as a likely injection point, captured the request with Burp Suite, and forwarded it to the Repeater.





 

Determine Query Structure:

  • I used the payload ‘+UNION+SELECT+NULL,NULL+FROM+dual-- to determine the column count.



  • And I used '+UNION+SELECT+'abc','def'+FROM+dual-- data types.



  • In Oracle, the dual table is a single-row, single-column table used for queries that don’t need to reference an actual table. This confirmed the query returned two text-based columns.


Enumerate Tables: To list all tables, I queried the all_tables system view, which contains information about all tables accessible to the current user. The payload was ‘+UNION+SELECT+table_name,NULL+FROM+all_tables--. This revealed a user-credential table named USERS_RHHMPK.



 Enumerate Columns: I queried the all_tab_columns system view to list column names for the discovered table. The payload used was:

'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name=''USERS_RHHMPK''--'

This revealed the credential columns USERNAME_ESOTPV and PASSWORD_CRXGSZ.






 
Extract Credentials: I used a final payload to retrieve all usernames and passwords from the identified table: '+UNION+SELECT+USERNAME_ESOTPV,+PASSWORD_CRXGSZ+FROM+USERS_RHHMPK--. This successfully exposed the administrator’s password.





 
Login and Completion: Using the stolen password, I logged in as the administrator, demonstrating full control and completing the lab.


 

Summary

Step-by-step walkthrough of an Oracle SQL injection: identifying the injection point, determining column count and data types using the dual table, enumerating tables and columns with Oracle system views, extracting usernames and passwords from the discovered USERS_RHHMPK table, and logging in as the administrator. The lab highlights how UNION-based payloads and Oracle system views can reveal sensitive database contents when inputs are not properly sanitized.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Trending now

How to Secure Sensitive Data in the Cloud
Building Your Career: In-Demand Cybersecurity Skills to Learn Now
The Rise of AI-Powered Cyber Attacks: How to Stay Ahead of Hackers
Proven Cybersecurity Home Lab Setup: VMware, Kali Linux & Vulnerable Machines
0
Would love your thoughts, please comment.x
()
x