First, we used the following command to check how many columns we have to use for the UNION injection. Since this is an Oracle database, we had to use from dual to continue our attack as it’s a dummy database in Oracle. We used different types of comments such as -- -, #, but finally, the one that worked is just --. We even tried using numbers after the SELECT but failed and were successful after using dummy texts like ‘abc’, ‘def’, and were able to see that we can output text in two columns:
We then used the below command to see all the tables, looking further we were able to see the table USERS_AOKPQH that contains all the user data :
' UNION SELECT table_name,null from all_tables--
We checked the column names in that table using the below command :
' UNION SELECT column_name,null FROM user_tab_columns WHERE table_name = 'USERS_AOKPQH'--
We were finally able to data of that table using the SELECT query and get the credentials of the administrator :
' UNION SELECT USERNAME_JLKEMZ,PASSWORD_WJFMIC FROM USERS_AOKPQH--
We were able to login using the credentials administrator:3gnkpktnqerdzvfcm3g6 and solve the lab :
