Jun 4, 2022
Write-up: SQL injection UNION attack, finding a column containing text @ PortSwigger Academy
This write-up for the lab SQL injection UNION attack, finding a column containing text is part of my walk-through series for PortSwigger’s Web Security Academy.
Learning path topic: Server-side topics → SQL injection
Python script: script.py
Lab description
Query
The query used in the lab will look something like
SELECT * FROM someTable WHERE category = '<CATEGORY>'Steps
Confirm injectable argument
The first steps are identical to the lab SQL injection UNION attack, determining the number of columns returned by the query and are not repeated here.
As a result of these steps, I found out that the number of columns in the result is 3.
Finding text columns
In a UNION, both queries must match the number of columns as well as the data types of each column.
The null fields match any data types. By successively exchanging a single null with a string, e.g. 'x', I can find out which columns contain string data.
By adding a ' UNION (SELECT null, 'x', null)-- to the query, the SQL statement looks like this and results in an 'x' added in the table.
SELECT * FROM someTable WHERE category = 'Accessories' UNION (select null, 'x', null)--'
Injecting the requested string will solve the exercise:
Bonus
By playing around a bit, I find out that the first argument is a number and represents the product ID that is placed in the ‘View details’ link and the thirst argument is the price by injecting ' UNION (SELECT 1, 'aP6tWl', 33.33)--`
Originally published at https://github.com.
