Skip to main content

SQL injection UNION attack, retrieving multiple values in a single column

1

Let's filter for Accessories.

2

Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view this request.

3

Let's forward this request to the Repeater for further modification.

Once in the Repeater, let's set the category parameter to the following:

' UNION SELECT NULL--

4

Since the application returns an error, we know that the number of columns in the current query is more than 1.

Let's set the category parameter to the following:

' UNION SELECT NULL,NULL--

5

Now that we know the current query has two columns, we can retrieve the usernames and password from the username and password columns respectively.

' UNION SELECT NULL,username||':'||password FROM users--

The || characters are used to concatenate strings together. So we are essentially dumping the username and password in the same column in the following format:

username:password

6

We can now login as the admin using the following credentials:

UsernamePassword
administratorfq4yq6966ve3gff4iz65

7

We have solved the lab.

8