SQL injection UNION attack, retrieving multiple values in a single column
https://portswigger.net/web-security/sql-injection/cheat-sheet
Last updated
https://portswigger.net/web-security/sql-injection/cheat-sheet
Last updated
Let's filter for Accessories
.
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History
tab to view this request.
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, let's set the category
parameter to the following:
Since the application returns an error, we know that the number of columns in the current query is more than 1. Let's set the category
parameter to the following:
Now that we know the current query has two columns, we can retrieve the usernames and password from the username
and password
columns respectively.
The ||
characters are used to concatenate strings together. So we are essentially dumping the username and password in the same column in the following format:
We can now login as the admin using the following credentials:
Username | Password |
---|---|
administrator | fq4yq6966ve3gff4iz65 |
We have solved the lab.