< Back





8. SQL injection attack, listing the database contents on non-Oracle databases

We abuse a SQL injection vulnerability to conduct another UNION attack. This time, we use the UNION
attack to retrieve information about the target's database, particularly the tables that exist and
their columns. After exposing the name of the user's table, we expose the user table's username and
password columns. Then we use the previous CONCAT() oriented attack to leak the administrator's
username and password. After exposing the administrator's credentials, we can log in as the
administrator.


Solution