Portswigger Web Security Academy Lab: SQL injection UNION attack, determining the number of columns returned by the query

Summary

“This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query.”

Vulnerable Parameter:
Product category filter

End Goals:
1.Execute a SQL injection UNION attack that returns an additional row containing null values.
2.Determine the number of columns returned by the query

Burpsuite:

Intercept

From the lab main site, select one of the product categories and open it’s associated webpage. With your proxy server calibrated to intercept web requests and Burpsuite open, refresh that lab page so that you can intercept the request. Locate the appropriate request in your HTTP history tab (which will be a GET request) and send it to your Burpsuite Repeater.

Columns

To verify that the product category is vulnerable and retrieve the number of columns — modify the category parameter in Repeater. The lab instructs us to use a UNION sql injection attack that returns additional column containing a NULL value. We will continue to add NULL values in our query until our request stops receiving an error.