SQL Injection UNION Attack, Finding a Column Containing Text

Lab Description:

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

This lab is the second in a series of three labs designed to help us understand the process of retrieving data from from a site’s database.

In the previous lab we learned how to determine the number of columns in a database by using UNION SELECT and NULL values. Here we are going to build off of that and figure out which column contains string data.

In this lab we will:

Access the lab and you will be brought to the familiar shopping page with a list of products and their prices.

#1 — Verify the existence of a SQLi vulnerability.

Our SQLi vulnerability lies in the product category filters. To verify this, click on a product category filter of your choice. I chose ‘Pets’.

After making your selection, head over to Burp and find your filter in the target site map on the left-hand side.

We are in the right spot. The ‘500 Internal Server Error’ lets us know that this site may be susceptible to a SQLi attack.

When using a UNION SELECT attack, if the number of tables you use in your query does not match exactly the union will not work. That is why this step is an important one.

#2 — Determine the number of columns being used by the database.

From here we need to use our UNION SELECT and NULL values approach, we learned in the previous lab, to figure out how many columns we are dealing with.

With this approach we are going to use UNION SELECT and NULL for the column value, then comment out the rest of the line using a double hyphen.

We should get a ‘500 Internal Server Error’ response which tells us we have more than one column.

We do get a ‘500’ response.

To determine the number of columns, keep adding NULL values for columns, separated by commas, until you get a ‘200 OK’ response from the server.

Since this is the same page as the previous lab, I am just going to jump to using three columns.

Getting a ‘200 OK’ response from the server lets us know we have three columns in this database.

If you notice at the top of the lab web page, they provide us with a random string to use to solve this lab.

#3 — Determine which column is compatible with string data.

Use this string to replace the NULL values in your payload, one at a time, to determine which column is compatible with string data.

Remember, your string data need to be enclosed in single quotes.

Send your payload.

We get a ‘500’ response, letting us know that the first column is not compatible with string data.

Let’s try the second column.

That did it. We got a ‘200 OK’ response letting us know that column number two is compatible with string data.

The ‘Congratulations’ banner should have popped up on the lab web page.

Congratulations! You solved another one! Keep up the great work!

See you next time!