Before performing a UNION-based attack, we need to check how many columns it has and how many contain text. We used the following payload to check whether we have one column but failed because the server gave an “Internal Server Error.” :
Next, by inserting two dummy values and receiving them in two columns, we confirmed that the SQL table indeed has two columns :
We were able to use the SELECT banner FROM v$version command customized to get the type and version of the Oracle database. The 'UNION SELECT banner,NULL FROM v$version-- part of the command is crucial. It instructs the database to combine the result of the original query (SELECT banner FROM v$version) with a second query that selects NULL values, effectively aligning the number of columns for the UNION operation. The -- at the end is a comment in SQL, ensuring that any remaining part of the original query is ignored by the database parser. This technique helps in successfully executing the UNION-based SQL injection attack, thus solving the lab:
Note :
- We had to URL encode the queries before sending them using Burp.