SQL injection UNION attack, retrieving data from other tables
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
Last updated
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
Last updated
Let's filter for Gifts.
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view this request.
Let's forward this request to the Repeater for further modification.
Once in the Repeater, let's set the category parameter to the following:
Since the application returns an error, we know that the number of columns in the current query is more than 1.
Let's set the category parameter to the following:
Now that we know the current query has two columns, we can retrieve the usernames and password from the username and password columns respectively.
We can now login as the admin using the following credentials:
We have solved the lab.
| Username | Password |
|---|---|
administrator
21tpnvx8ho5pyej8z6sy
