Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

Day 8 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let’s Start:

Before you go for this blog, make sure to read the Previous one
Link to Seventh Blog: https://arayofhope7.medium.com/sql-injection-union-attack-determining-the-number-of-columns-returned-by-the-query-01321d3953cb

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

• In this blog, I will jump directly into the practical part. For the theory and concepts, please refer to the Day 7 blog.

Here’s what the application looks like.

We have multiple categories on the site, and when I clicked on the ‘Gift’ category, I noticed that the URL contains a category parameter with a specific value. This indicates that the application uses this parameter to dynamically retrieve data, likely from a database. which could be vulnerable to SQL injection if input validation is insufficient.

The category parameter accepts arbitrary inputrayofhope and reflects it in the response, indicating that the backend might be using it directly in queries. This makes it vulnerable to SQL injection testing.

Used a single quote (') to identify the developer code or to break the query, and sure enough, the query broke. This means we can now confirm that the application is vulnerable to SQL injection. It appears they have not implemented proper input sanitization.

I tried ' ORDER BY 2 -- and it got projected, which means the application likely has more than two columns in the query result.

I tried ' ORDER BY 4 -- and it returned an error, which means the query likely has three columns. Now that we know there are three columns, we need to identify the data type and retrieve 2ibKWe.

Used ' UNION SELECT 1, 2, 3 -- and it returned an error, which means the application doesn't have all columns with integer data types.

Used ' UNION SELECT 'ray', 'ray', 'ray'-- and it returned an error, which means the application doesn't have all columns with CHAR data types.

Note:

Now, it could be that the table has both CHAR and an integer data types, but how can we identify them? We will use a NULL column.

And it returned 200 OK, now we have to retrieve the string: ‘2ibKWe’

Used ' UNION SELECT NULL, NULL, '2ibKWe' -- and it returned an error, which means the third column is not a string and does not accept '2ibKWe'.