Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: SQL injection UNION attack, determining the number of columns returned by the query

PRACTITIONER

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.

To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

ACCESS THE LAB

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Modify the category parameter, giving it the value '+UNION+SELECT+NULL--. Observe that an error occurs.

  3. Modify the category parameter to add an additional column containing a null value:

    '+UNION+SELECT+NULL,NULL--
  4. Continue adding null values until the error disappears and the response includes additional content containing the null values.

Community solutions

Rana Khalil
z3nsh3ll

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find SQL injection vulnerabilities using Burp Suite

Try for free