Hello, friends. How are you all? We have started a series on SQL injection, and this is our 7th article. In this article, we will solve the PortSwigger Web Security Lab – SQL injection UNION attack retrieving multiple values in a single column, step by step with practical examples.
This lab has an SQL injection vulnerability in the product category filter. The query we submit is shown as a response on the application’s interface. We can take advantage of this to retrieve data from the table.
There are multiple tables in this lab, and one of the tables is named “users” with columns for username and password.
To solve this lab, we need to perform an SQL injection UNION attack to grab the username and password from the application’s interface. Essentially, we will retrieve the credentials of the administrator user and log in as an admin user to solve the lab.
First, we need to access the lab. After accessing the lab, click on any product filter. In my case, I clicked on “pets,” so my category is “pets.”
Now, we already know that there is an SQL injection vulnerability here, and we need to exploit it.
To confirm the SQL Injection vulnerability, use the ‘ after “pets” and check if the application throws an error. If it does, it means it’s vulnerable to SQL Injection. %27 is the encoded form of ‘.
Now, we need to find how many columns are there in the response.
By using this SQL query, I found that there are 2 columns in the “pets” category. As you can see, you need to gradually increase the number of null values until the server error is resolved. If you want to learn how to find columns, please refer to our previous articles.
Next, we need to test if both columns accept string values.
As you can see, I received an error message, which means one of the columns is not accepting string values. Now we need to test them one by one.
In my case, I already know that the 2nd column accepts null values, while the 1st column does not accept string values.
Now, we come across the concept of concatenation in such cases. Concatenation is a technique used to combine two strings and execute them. Since we are learning about SQL Injection, we will use the symbols ||’~’|| for concatenation.
For example: select null,username||'~'||password from users--
We will exploit SQL Injection using this method. Since we cannot insert a string value in the 1st column (‘+UNION+SELECT+’NULL’,’def’–), we will use the 2nd column to grab the username and password from the database.
As you can see, we have successfully solved the PortSwigger Web Security Lab – SQL injection UNION attack retrieving multiple values in a single column by using SQL Injection (‘+UNION+SELECT+NULL,username||’~’||password+FROM+users–).
So, guys, I clicked on “My Account” and submitted the username and password (administrator~g4iaxrxo9m6ivqb6p28p), and our lab got solved.
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
To continue studying check out the next lab i.e. SQL Injection Attack Querying The Database Type And Version On Oracle, cover the current lab before visiting the next lab. Good Luck!
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.