Jun 4, 2022
Write-up: SQL injection UNION attack, retrieving data from other tables @ PortSwigger Academy
This write-up for the lab SQL injection UNION attack, retrieving data from other tables is part of my walkthrough series for PortSwigger’s Web Security Academy.
Learning path topic: Server-side topics → SQL injection
Python script: script.py
Lab description
Query
The query used in the lab will look something like
SELECT * FROM someTable WHERE category = '<CATEGORY>'Steps
Confirm injectable argument
The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.
As a result of these steps, I find out that the number of columns is 2, with both being string columns.
Extracting usernames and passwords
I know which table (users) contains the credentials (columns username and password). And conveniently there are two string columns, so I can simply dump the contents with a UNION.
I use an invalid category so that no articles are found and only my output appears. The injection string is X' UNION (SELECT username, password FROM users)-- to form the following query:
SELECT * FROM someTable WHERE category = 'X' UNION (SELECT username, password FROM users)--This results in a dump of three user credentials:
The last step is to log in as the administrator and the lab updates to
Originally published at https://github.com.
