SQL injection UNION attack, retrieving multiple values in a single column
https://portswigger.net/web-security/sql-injection/cheat-sheet
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252Fa6cIUcHTDYKoYRyDohp9%252F1.png%3Falt%3Dmedia%26token%3Db991d6ef-bbb3-4da7-bef3-505f3ee8d76e&width=768&dpr=4&quality=100&sign=52a11a27&sv=2)
Let's filter for Accessories
.
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252FUjTIdZb4GTXTtp7UZfdR%252F2.png%3Falt%3Dmedia%26token%3D9019a88b-8ab7-4940-bbca-c6f74456e0d4&width=768&dpr=4&quality=100&sign=fd6d659a&sv=2)
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History
tab to view this request.
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252FDScV5R2AzuB2he0kM2Tr%252F3.png%3Falt%3Dmedia%26token%3Ddc0ac062-7bf3-4812-8a3d-4c588578c9be&width=768&dpr=4&quality=100&sign=9ef6f45a&sv=2)
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, let's set the category
parameter to the following:
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252FfCueE7FpkX1DhG35u4FP%252F4.png%3Falt%3Dmedia%26token%3De9b9c9aa-5675-4b29-ad80-fddebb5c8810&width=768&dpr=4&quality=100&sign=f57feee5&sv=2)
Since the application returns an error, we know that the number of columns in the current query is more than 1. Let's set the category
parameter to the following:
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252F2JgCxA4Shnj1eF8MtCcw%252F5.png%3Falt%3Dmedia%26token%3D51bc5593-83d4-432f-88d2-f7e81de40812&width=768&dpr=4&quality=100&sign=57302c47&sv=2)
Now that we know the current query has two columns, we can retrieve the usernames and password from the username
and password
columns respectively.
The ||
characters are used to concatenate strings together. So we are essentially dumping the username and password in the same column in the following format:
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252FbmbGesA8jUUToxlL3zta%252F6.png%3Falt%3Dmedia%26token%3D91497f60-48d2-4168-9ace-ad0831801be1&width=768&dpr=4&quality=100&sign=5425761f&sv=2)
We can now login as the admin using the following credentials:
administrator
fq4yq6966ve3gff4iz65
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252FeA9cHrKlJDkJJT3jjdtC%252F7.png%3Falt%3Dmedia%26token%3D50403e77-8a57-4f95-b14f-255515b72758&width=768&dpr=4&quality=100&sign=11337858&sv=2)
We have solved the lab.
![](https://kunalwalavalkar.gitbook.io/~gitbook/image?url=https%3A%2F%2F1586847736-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FtSZ40gLWhBDTzPEgHsVB%252Fuploads%252F42Y0IogULe4PEmhE5qzT%252F8.png%3Falt%3Dmedia%26token%3Dfee79e1f-7ef9-434d-b0f0-0f613aa6e226&width=768&dpr=4&quality=100&sign=5cbfa4fe&sv=2)
Last updated
Was this helpful?