Write-up: SQL injection UNION attack, finding a column containing text @ PortSwigger Academy

This write-up for the lab SQL injection UNION attack, finding a column containing text is part of my walk-through series for PortSwigger’s Web Security Academy.

Learning path topic: Server-side topics → SQL injection
Python script: script.py

Lab description

Query

The query used in the lab will look something like

SELECT * FROM someTable WHERE category = '<CATEGORY>'

Steps

Confirm injectable argument

The first steps are identical to the lab SQL injection UNION attack, determining the number of columns returned by the query and are not repeated here.

As a result of these steps, I found out that the number of columns in the result is 3.

Finding text columns

In a UNION, both queries must match the number of columns as well as the data types of each column.

The null fields match any data types. By successively exchanging a single null with a string, e.g. 'x', I can find out which columns contain string data.

By adding a ' UNION (SELECT null, 'x', null)-- to the query, the SQL statement looks like this and results in an 'x' added in the table.

SELECT * FROM someTable WHERE category = 'Accessories' UNION (select null, 'x', null)--'

Injecting the requested string will solve the exercise:

Bonus

By playing around a bit, I find out that the first argument is a number and represents the product ID that is placed in the ‘View details’ link and the thirst argument is the price by injecting ' UNION (SELECT 1, 'aP6tWl', 33.33)--`

Originally published at https://github.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Frank Leitner

Tech nerd, doing security stuff for fun and some as a job | CISSP, OSCP. Read all stories on medium and support me: https://medium.com/@frank.leitner/membership