Lab: SQL injection UNION attack, retrieving multiple values in a single column

Posted on 2023-04-25 | Post modified | In Security Practice｜Portswigger Web Security Academy｜SQL |

Lab: SQL injection UNION attack, retrieving multiple values in a single column

tags: `Portswigger Web Security Academy` `Web`

Description: This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
Hint: The database contains a different table called users, with columns called username and password.

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Exp

Consider how many columns in this table

Payload: ?category=Lifestyle' UNION SELECT NULL,NULL--
Consider the type of each columns

Payload: ?category=Lifestyle' UNION SELECT 1,'a'--

As the payload above, the 1st column is number-based string, and 2nd column is text-based string.
通靈
: Find username and password

From the result above, there’s just one column is text-based string that we can inject, so we can use concatenate operator || to concatenate two strings that we query together.

Payload: ?category=Gifts' UNION SELECT NULL,username||'~'||password FROM users--
Login by username and password that we fetch

Post author: SBK6401
Post link: https://bernie6401.github.io/Lab-SQL-injection-UNION-attack,-retrieving-multiple-values-in-a-single-column/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.

Lab: SQL injection UNION attack, retrieving multiple values in a single column

tags: Portswigger Web Security Academy Web

Exp

tags: `Portswigger Web Security Academy` `Web`