👨‍💻
Jawad's Notes
  • 👨‍🏫INFOSEC
    • 🕸️Web
      • Burp Suite: Setting Foxyproxy
      • XSS
      • Wappalyzer
      • Directory Traversal
      • LFI
        • PHP Wrappers
        • RFI
      • Reverse Shell
        • Command Injection Quick Tips
      • File Upload
      • WPScan
      • SQL Injection
        • Schemas
        • SQLmap
        • MSSQL
        • MySQL
        • PostgreSQL
    • 🔧Tools
      • Whois
      • DNSRecon
      • DNSenum
      • nslookup
      • Netcat
        • Powercat
      • Nmap
        • Nmap Scripting Engine
        • Test-NetConnection
        • Grep
      • Server Message Block (SMB)
      • SNMP
      • SMTP
      • ExifTool
      • Search Engine Hacking
      • Source Control Hacking
      • Nessus
      • Canarytokens
      • Qualys SSL Server Test
      • Security Headers
      • theHarvester
      • Shodan
      • Gobuster
        • Dirb
      • Searchsploit
      • Password Cracking
        • Hashcat
        • John The Ripper
        • Hydra
        • hashID
        • CPU vs GPU
    • 🐧Linux
      • Symbols
      • cat
      • curl
      • openvpn
      • tcpdump
      • Remote Desktop
      • SmbShare
      • Tmux
      • Convert Windows-style line endings (CRLF) to Unix-style (LF)
      • SSH
    • 🖥️Macros in Office
    • 🍎Enhancing Your MacOS Terminal Experience
    • 🚩CTF
      • SQL Injection
        • WHERE clause allowing retrieval of hidden data
        • Allowing login bypass
        • UNION attack, determining the number of columns returned by the query
        • UNION attack, finding a column containing text
        • UNION attack, retrieving data from other tables
        • UNION attack, retrieving multiple values in a single column
        • Querying the database type and version on Oracle
Powered by GitBook
On this page
  • Description
  • Steps
  1. INFOSEC
  2. CTF
  3. SQL Injection

UNION attack, retrieving data from other tables

PreviousUNION attack, finding a column containing textNextUNION attack, retrieving multiple values in a single column

Last updated 1 year ago

Lab:

Description

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Steps

First, we determine that the number of columns is at least 2, as the injection below doesn’t produce an error: category=Gifts' ORDER BY 2--

We can also figure out that both columns are Strings, as they don’t generate errors when using: category=Gifts' UNION SELECT 'a', 'a'--

Knowing that we have a table named users with 2 columns, namely, username and password, let’s perform a join on this table to list all the users: category=Gifts' UNION SELECT username, password FROM users--

Et voilà! The user administrator is returned with the password u35dnobwat09aipkb3xn.

lets try it out:

and it’s solved!

👨‍🏫
🚩
SQL injection UNION attack, retrieving data from other tables