=

08 - SQL injection UNION attack, finding a column containing text

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

Given : Injectin point (Product category)
Find : Number of coumns , Column compatible with string
End Goal : Print the given string (ppLAen) in addition row using sqli

string to print

As we know that injection point it product category filter , so click on any category and intercept the request in burp. Now we have to get the number of columns,If we use 2 null values then it gives 500 Internal Server Error :

burp intercept

After using 3 null values it gives 200 OK :

burp intercept

That means there are 3 columns in the table.

Now we have to determine the position of the columns that compatible with strings. To find the columns we can replace each null value one by one with any string untill we got 200OK. Possible query would be - s'+UNION+SELECT+NULL,NULL,'ppLAen'--

burp intercept

It gives 500 Internal Server Error , that means the position of the column that is compatible with is different.

Now change the position of the string. Possible injectable query would be - s'+UNION+SELECT+NULL,'ppLAen',NULL--

burp intercept

It gives 200 Ok , that means 2nd column is compatible with string data type , the above query would give the string which is used on the position as output.

Lab solved :
lab solved