Introduction
Hello, my dear friends. How are you all doing? This is our 5th article on SQL Injection. In this article, we will solve the PortSwigger Web Security lab on SQL injection UNION attack and determining the number of columns returned by the query, step by step.
Lab Description
First, let’s try to understand the lab’s description. This lab has an SQL Injection vulnerability in the product category filter. The application’s response displays our queries. Therefore, by performing a UNION attack, we can retrieve data from the database. The first step is to determine the number of columns in the table that are being returned in the query. Then, we can construct a full attack based on that information.
To solve the lab, you need to determine the number of columns returned in the query and then fetch the row values using SQL Injection UNION attack.
Lab Solution
First, access the lab.
Now, click on any product category in the menu, such as “Pets,” because SQL Injection is present in the product category.
To confirm the SQL Injection vulnerability, append a single quote (‘ or %27 encoded) after “category=pets” in the URL. You should receive an error message, confirming the vulnerability.
To fix this error, append — after %27(‘).
After doing this, the error will be fixed, and values will be returned by the application.
Full link: https://0a13007e033e927681870cf2001000de.web-security-academy.net/filter?category=Pets%27–
Next, we need to find out how many columns exist in the “pets” table.
To find the columns, use the following query:
'+UNION+SELECT+NULL--
At the beginning, append ‘ after “pets” and then use + (URL encoded for space). We will use the UNION SELECT attack and end the query with NULL–. Here, NULL represents the number of columns. We assume there is only one column in the application.
Your query, without encoding, will be ‘ UNION SELECT NULL–.
The browser will automatically encode your query.
When you receive the Internal Server error, it means that there is no column in the application. To overcome this, add another NULL value to the SQL Injection query.
Try the following query:
'+UNION+SELECT+NULL,NULL--
Even after trying NULL twice in the SQL Injection query, we still receive an Internal Server error. So, let’s add one more NULL value.
Try the following query:
'+UNION+SELECT+NULL,NULL,NULL--
You can see that when I added the third NULL value, all the database columns were displayed. With this, we have successfully solved the PortSwigger Web Security lab on SQL injection UNION attack and determined the number of columns returned by the query.
To continue studying check out the next lab i.e. SQL Injection UNION Attack Finding A Column Containing Text cover the current lab before visiting the next lab. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
