Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: SQL injection UNION attack, finding a column containing text

PRACTITIONER

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

ACCESS THE LAB

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.

  2. Determine the number of columns that are being returned by the query. Verify that the query is returning three columns, using the following payload in the category parameter:

    '+UNION+SELECT+NULL,NULL,NULL--

  3. Try replacing each null with the random value provided by the lab, for example:

    '+UNION+SELECT+'abcdef',NULL,NULL--
  4. If an error occurs, move on to the next null and try that instead.

Community solutions

Rana Khalil
z3nsh3ll

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find SQL injection vulnerabilities using Burp Suite

Try for free