Portswigger SQLi-Lab 7

Hello everyone , in this post I will be sharing my solution for the 7th sqli lab from portswigger . This lab was easy just needed to query data from information.schema which is holds all the information for the database.

SQL injection attack, listing the database contents on non-Oracle databases

First we need to identify the number of columns , we can do that with the help of order by

Now if I try to run order by 3 it will give an error meaning there are only two columns in the table

So now we can perform union based sqli

Let’s query the version of database being used

Gifts' union select version(),null --

We can look for a cheat sheet for postgresql on how to query the table name and portswigger has made a neat little cheat sheet for this

For our sqli payload will look like this

Gifts' union select table_name,null from information_schema.tables --

Neat , we have found the users table which is named users_bkrkxr

This table contains two columns , hopefully they are username and password but we don't know that yet so we'll use the cheat sheet to get the column names as well so let's run this sqli payload to get column names as well

Gifts' union select column_name,null from information_schema.columns where table_name='users_bkrkxr' --

So what’s happening here is that we are querying for column_name from information_schema.columns which holds information for all the columns in the table available in the current database with a condition in which the table matches users_bkrkxr

We have the names of the 2 columns now this will become easy for us to retreive the data from it

Gifts' union select username_lshein,password_adqjqk from users_bkrkxr --

Now we just need to login with adminstrator’s credential

BS CS undergraduate | CTF Player