Write-up: SQL injection UNION attack, retrieving data from other tables @ PortSwigger Academy

This write-up for the lab SQL injection UNION attack, retrieving data from other tables is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path topic: Server-side topics → SQL injection
Python script: script.py

Lab description

Query

The query used in the lab will look something like

SELECT * FROM someTable WHERE category = '<CATEGORY>'

Steps

Confirm injectable argument

The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.

As a result of these steps, I find out that the number of columns is 2, with both being string columns.

Extracting usernames and passwords

I know which table (users) contains the credentials (columns username and password). And conveniently there are two string columns, so I can simply dump the contents with a UNION.

I use an invalid category so that no articles are found and only my output appears. The injection string is X' UNION (SELECT username, password FROM users)-- to form the following query:

SELECT * FROM someTable WHERE category = 'X' UNION (SELECT username, password FROM users)--

This results in a dump of three user credentials:

The last step is to log in as the administrator and the lab updates to

Originally published at https://github.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Frank Leitner

Tech nerd, doing security stuff for fun and some as a job | CISSP, OSCP. Read all stories on medium and support me: https://medium.com/@frank.leitner/membership