SQL Injection UNION Attack, Determining the Number of Columns Returned by the Query

2 weeks ago 16

BOOK THIS SPACE FOR AD

ARTICLE AD

A Portswigger lab

Welcome back my friends!

Lab Description:

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.

To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

NOTE: I will be using Burpsuite Community Edition to help complete this lab, so you may want to have that up and running. If you’re not sure what Burp is or how to use it, check out this tutorial: Burpsuite Basics (FREE Community Edition) by John Hammond.

This lab will be the first in a series of three labs teaching us the steps needed to use a “UNION attack to extract data from other tables”. Each lab will build upon what we have learned from the previous lab.

In this lab we will:

Verify the existence of SQL injection point.Determine the correct number of columns being used in the site’s database.

Access the lab and you will be brought to our shopping page. This time, instead of a product and its description, you will see a list of products and their prices.

Shopping page showing our products and prices.

#1 — Verify the existence of SQL injection point.

The products can be sorted by the site’s product category filters. This is where we will find our injection point.

With Burp running, click on the filter of your choice. I went with ‘Tech gifts’ this time.

After choosing your filter, head over to Burp to find your filter in the target site map.

Right-click on your filter and select ‘Send to repeater’.

In the repeater tab you can see your request in the left-hand column and if you click the ‘Send’ button, you can see the server’s response in the right-hand column.

From here we can alter and send our request multiple times to see how our changes affect the response.

First, let’s see if we are in the right spot for a SQLi. In your request, replace the product category filter with a single quote ( ‘ ) and click send.

Your response should be a ‘500 Internal Server Error’. This is a good indication that this site is vulnerable to a SQLi attack.

#2 — Determine the correct number of columns being used in the site’s database.

Determining the number of columns being used by a database is the first step in using a UNION SELECT attack. The number of columns you are combining need to match exactly.

In previous labs we used ‘ORDER BY’ to determine the number of columns. Here we are use a different tactic.

We are going to use our UNION SELECT and add NULL columns until we find the right number of columns.

-- Our payload
' UNION SELECT NULL --

-- URL ecoded payload
'+UNION+SELECT+NULL+--

NOTE — Before you send your request, make sure you apply URL encoding to your payload. Burp lets you do this easily a few ways but I usually just highlight the payload and click ‘Ctrl+u’.

We get a ‘500 Internal Server Error’ as a response. This is telling us that there is NOT just one column. Let’s try two.

-- Our payload
' UNION SELECT NULL, NULL --

-- URL ecoded payload
'+UNION+SELECT+NULL,+NULL+--

Another ‘500’ response.

How about three columns?

Using this method we will keep adding NULL columns until we get a ‘200 OK’ response indicating we found the correct number of columns present.

-- Our payload
' UNION SELECT NULL, NULL, NULL --

-- URL ecoded payload
'+UNION+SELECT+NULL,+NULL,+NULL+--

That’s it. We got it! There are three columns in this database.

Your lab page should be showing the ‘Congratulations banner’ after getting your ‘200’ response.