Introduction
Hello, friends! How are you all doing? We have started a series on SQL Injection, and this is the 6th article. In this article, we will cover the PortSwigger Web Security lab on SQL injection UNION attack, retrieving data from other tables, from basic to advanced, in a step-by-step manner.
Lab Description
In this lab, there is an SQL Injection vulnerability in the product category filter. Whatever SQL query you perform there, it will be displayed as an output on the application’s interface. Here, we can exploit the UNION attack to retrieve data from the database tables. To perform this attack, it is necessary for you to be familiar with the techniques covered in my previous articles.
In the database, we have different tables, and one of them is important for us, which is named “users”. It contains a table with the column name “username” and another table with the column name “password”.
To solve the lab, you need to perform an SQL Injection UNION attack to fetch usernames and passwords from the “users” table. The “administrator” username is also present in the list of users.
Lab Solution
First, access the lab and after accessing it, click on any product filter. In my case, I clicked on “pets”.
'+UNION+SELECT+NULL,NULL--After clicking on “pets”, I submitted the above SQL Injection query. I found out that there are only 2 columns in the table of this lab. Now, I will verify if both columns accept string values or not.
'+UNION+SELECT+'abc','def'--Now, I am confirmed that there are only 2 columns in this table and both columns accept string values.
Next, I will construct a query to fetch the “username” and “password” columns from the “users” table.
'+UNION+SELECT+username,+password+FROM+users--In the above SQL Injection query, I have mentioned that I want to fetch the “username” and “password” columns from the “users” table. I have used the previous 2 null values where string values were acceptable. Additionally, I have added “username,+password” and selected the “users” table using the “FROM” keyword. Now, let’s see the result in the screenshot below.
You can see that I have obtained the username and password for the administrator.
By clicking on “My Account,” I entered “administrator” as the username and “gb8pnmrmsxct1c2jcz6m” as the password. After entering the correct credentials, I successfully solved the PortSwigger Web Security lab on SQL injection UNION attack, retrieving data from other tables.
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
To continue studying check out the next lab i.e. SQL Injection UNION Attack Retrieving Multiple Values In A Single Column, cover the current lab before visiting the next lab. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
