UNION attack, retrieving multiple values in a single column
PreviousUNION attack, retrieving data from other tablesNextQuerying the database type and version on Oracle
Last updated
Last updated
Lab:
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
First, we know there are only 2 columns and not 3, since category=Pets' ORDER BY 2-- doesn’t return an error, but category=Pets' ORDER BY 3-- does.
We also know that the returned columns are an Integer and a String, since the following query works without any errors: category=Pets' UNION SELECT 1, 'a'--
Therefore, we need to extract the username and password columns, which are usually two separate columns of data type String, from a single column.
You can concatenate multiple strings together to create a single string, using the syntax provided below:
Oracle
'foo'\|'bar'
Microsoft
'foo'+'bar'
PostgreSQL
'foo'\|'bar'
MySQL
'foo' 'bar' Note the space between the two strings
CONCAT('foo','bar')
Based on this, let’s concatenate the username and password and separate them with a ~, using the following injection: category=Pets' UNION SELECT NULL, username || '~' || password FROM users--
Et voilà! The returned string is administrator~f286lusiqzjnv720jo3k. Let’s test it out:
and it’s solved!
