SQL injection UNION attack, retrieving data from other tables
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
Last updated
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
Last updated
Let's filter for Gifts
.
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History
tab to view this request.
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, let's set the category
parameter to the following:
Since the application returns an error, we know that the number of columns in the current query is more than 1.
Let's set the category
parameter to the following:
Now that we know the current query has two columns, we can retrieve the usernames and password from the username
and password
columns respectively.
We can now login as the admin using the following credentials:
Username | Password |
---|---|
administrator | 21tpnvx8ho5pyej8z6sy |
We have solved the lab.