SQL injection UNION attack, finding a column containing text

Let's filter for Accessories.

Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view this request.

Let's forward this request to the Repeater for further modification.

Once in the Repeater, let's set the category parameter to the following:

UNION SELECT NULL--

Since the application returns an error, we know that the number of columns in the current query is more than 1.

Let's try for two columns:

UNION SELECT NULL,NULL--

The application again returns an error.

Let's try for three columns:

UNION SELECT NULL,NULL,NULL--

The application no longer throws an error which means that there are 3 columns in the current query.

Now let's change one column to a string instead of NULL and observe the behaviour.

UNION SELECT 'test',NULL,NULL--

That tells us that the first column is not compatible with string data.

Let's move on to the next column.

UNION SELECT NULL,'test',NULL--

We can see that the second column is compatible with string data.

Now all we have to do is replace test with the string that we have to make the database retrieve.

We have solved the lab.