Join us on May 15 for a live demo of how Burp Suite DAST solves real-world security challenges.            Register Now
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: SQL injection UNION attack, retrieving data from other tables

PRACTITIONER

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

ACCESS THE LAB

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.

  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter:

    '+UNION+SELECT+'abc','def'--

  3. Use the following payload to retrieve the contents of the users table:

    '+UNION+SELECT+username,+password+FROM+users--
  4. Verify that the application's response contains usernames and passwords.

Community solutions

Intigriti
Rana Khalil
z3nsh3ll

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find SQL injection vulnerabilities using Burp Suite

Try for free