Hello friends and today HaXeZ is looking at the 2nd SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the first lab, and extend it. Instead of just identifying the number of columns, we’re going to test which columns can hold text. In order to do this, we will use the same methodology for the first one but then replace one of the NULL values with a string.
SQL Injection UNION Attack, Finding Columns With Text
As stated above, the purpose of this lab is to help you learn how to identify columns that contain text. The reason this is useful is that if you want to dump the contents of a database, then you need to dump it to a compatible column. This lab requires you to perform an injection attack with some text provided.
The Application
The application is similar to the ones we have already seen. The navigation menu at the top with products listed underneath. However, at the top we have a message that says, Make the database retrieve the string ‘zns2kh’ (it changes each time). In order to do this, we need to turn intercept on and click one of the links. This will allow us to work on one of the parameters to figure out the injection.
Intercept and Repeat
As you can see from the image below, I have intercepted the request with Burp and sent it to repeater. I have then identified how many columns there are using the ‘Accessories'+UNION+SELECT+NULL,NULL,NULL--‘ method until the application stops producing a 500 error. Then we need to repeat this process but this time we replace the ‘NULL‘ values with a string. In the example below, I have used ‘a’ to determine which columns hold text. As you can see from the results, the second column contains text as it returns a valid response instead of a 500 error.
The SQL Injection
In order to solve the lab, you need to replace the string ‘a’ with the string at the top of the page. In fact, you could do the whole lab with the required string instead of using string ‘a’ but I needed to pad out this write-up to hit the desired word count. Anyway, that’s the solution, I hope you found this useful.
paramter'+UNION+SELECT+NULL,'your-string',NULL-- 