Hello friends and thanks for coming to HaXeZ where today we’re looking at the first SQL injection lab on Portswigger Web Security Academy. In order to keep things simple, I will be doing the labs in the order that they apepars on the all-labs page. While this doesn’t make much sense from a difficulty perspective, it will help with keeping things in order.
SQL Injection UNION Attack
The first lab in the SQL Injection series is a UNION based attack that requires you to determine the number of columns returned by the query. While this is a pretty steep point of entry, I’m always one for jumping in the deep end and learning to swim. The instructions explain that we need to use a UNION based attack and that we will be building on this type of attack for future labs. There is a green button to access the lab.
Clicking the green button takes us to the application which appears to be a shop. Furthermore, the shop has a navigation menu at the top of the page and some products listed underneath it. We can make an educated case right away that there is going to be three columns. However, there could be hidden columns somewhere that are not visible on the page. First things first, in Burp Suite, turn Intercept on. Then click one of the links and navigate to Burp to see the captured request.
Repeating The Payload
By far the easist way to test out payloads in Brup Suite is to send them to repeater. Repeater alloows you to send, modify and send payloads without having to reintercept the request. You can send the orginal request to repeater by right clicking in the request and chosing send to repeater. When then need to test how many columns there are. In order to do this, insert a single quotation mark after the Accessories paramter. Then, input the following syntax
'+UNION+SELECT NULL-- make sure to include the space after the double hyphens. When you send this payload, you should get a 500 error message which indicates there is an error in your SQL syntax. That’s good news.
The SQL Injection
With our first payload giving us an error, we can increase the number of NULL values we add to the injection. The number of NULL values needs to equal the amount of columns thus allowing us to determine how many collumns there are. So add another NULL, then another one untill you get the response shown in the picture above. You can then add the payload to your orginal request and forward it. You would have already completed the lab but it’s nice to see how the injection is displayed on the page. The correct synax is displayed below.