10 - SQL injection UNION attack, retrieving multiple values in a single column

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Given : Injection point (Product category), table (users) , columns (username,password)
Find : A column compatible with string
End goal : Login as administrator user

At first we have to know the number of columns in the table. Luckly after trying the query - 'UNION+SELECT+NULL,NULL-- gives 200 OK :

It means there are 2 columns, now we have to get the position of that column which is compatible with string data type. After trying following query it gives 500 Internal server error - 'UNION+SELECT+'a',NULL--

That means 2nd column is compatible with string data type. but we have to print 2 values within one column. So we have to use a concatination symbol to add two values. In our database it is double pipes || . Now the possible injectable query would be - e'+UNION+SELECT+NULL,username||'=>'||password+FROM+users--

Output would be :

Lab solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell