Hello friends and today HaXeZ is looking at the 3rd SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the second lab, and extend it. This time we’re going to retrieve the contents of the username and password columns from the user table.
SQL injection UNION attack, retrieving data from other tables
As I mentioned, this lab requires you to use the techniques we’ve learned so far and build on them to retrieve the username and password columns from the users table. As always, we have our green button to head to the lab.
The Application
The application follows the same theme that we have been seeing in other labs. Navigation menu along the top with a list of descriptions underneath. However, this time it seems like we may only have two columns. There is a title that is in bold font, and a description that is in regular font. We can intercept a request to one of the categories to find out. Head to Burp, turn on intercept and click one of the links.
Intercepted!
With the request intercepted, we can start to enumerate the structure of the database. For example, we can start by determining how many columns there are using ‘UNION SELECT NULL-- ‘ method. As you can see from the image below, it appears that there are two columns. We increased the number of ‘NULL‘ values in our injection until we stopped receiving a 500 error.
Next, we need to determine which columns are capable of handling text. We don’t want to try and dump our usernames and passwords into columns that can only display numbers. In order to do this, we replace the NULL value with a quoted string such as ‘test’. Since we only have two columns and both of the columns displayed text, it’s a safe bet to assume ‘UNION SELECT 'test','test'-- ‘ would work. In the picture below I have used ‘a’ because I’m lazy.
The Injection
So following the logic we have learned so far we should now be able to dump the contents of the usernames and passwords columns from the user’s table. The syntax is pretty simple especially if you’re already somewhat familiar with Structured Query Language. We replace the test values with the columns we want and then specify where those columns are. You may have to play around with the spacing, especially at the end.
'+UNION+SELECT+USERNAME,+PASSWORD+FROM+users-- 
That’s it, you can forward the request to the application which should solve the lab. When the final page renders, you should have the username and passwords at the bottom of the page.
Amendedment
Don’t forget to log in as the administrator or else you won’t solve the lab. Whoops.
