Skip to main content

SQL injection UNION attack, determining the number of columns returned by the query

1

Let's filter for Accessories.

2

Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view this request.

3

Let's forward this request to the Repeater for further modification.

Once in the Repeater, let's set the category parameter to the following:

UNION SELECT NULL--

4

Since the application returns an error, we know that the number of columns in the current query is more than 1.

Let's try for two columns:

UNION SELECT NULL,NULL--

5

The application again returns an error.

Let's try for three columns:

UNION SELECT NULL,NULL,NULL--

6

The application no longer throws an error which means that there are 3 columns in the current query.

We have solved the lab.

7