07 - SQL injection UNION attack, determining the number of columns returned by the query

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

Given : Injection point (Product category)
End goal : Use union attack to determine number of columns in the table

As we already know to get the numbers of columns by using order by, there is an another method which can be used to get the number of column by using NULL value.

It gives 200OK only if the number of null is equal to the number of columns. If we use a single NULL the it gives 500 Internal Server Error

If we use 2 NUll values , it still gives 500 Internal Server Error :

But if we use 3 null values the it gives 200 OK :

That means there are 3 columns in the table

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell