SQL injection UNION attack, finding a column containing text
https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
Last updated
https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
Last updated
Let's filter for Accessories
.
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History
tab to view this request.
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, let's set the category
parameter to the following:
Since the application returns an error, we know that the number of columns in the current query is more than 1.
Let's try for two columns:
The application again returns an error.
Let's try for three columns:
The application no longer throws an error which means that there are 3 columns in the current query.
Now let's change one column to a string instead of NULL
and observe the behaviour.
That tells us that the first column is not compatible with string data.
Let's move on to the next column.
We can see that the second column is compatible with string data.
Now all we have to do is replace test
with the string that we have to make the database retrieve.
We have solved the lab.