Hello friends and today HaXeZ is looking at the 4th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the third lab. However, this time there is only one column that supports text. We will need to concatenate the results in order to complete the lab.
SQL injection UNION attack, retrieving multiple values in a single column
We’ve already completed the previous lab that required us to get data from another table. I’m going to skip the steps to determine the number of columns and which of those columns contain text. You will use the same methods used previously to determine this.
As you can see from the image below, the application follows the same design as the other ones. It has a navigation menu along the top and a list of products underneath. However, this time we only have the name of the products. Previously, we had a description that allowed us to retrieve both the username and password.
Once we’ve worked out how many columns there are, and how many of those columns contain text. It’s time to figure out how we’re going to get the contents from two columns into a single column. This is called concatenation and is particularly useful when you only have one column to work with. In order to do this, we need to intercept the request. After a bit of poking around with the repeater, we have deduced that there are two columns but only the second column allows text.
GET /filter?category=Accessories'+UNION+SELECT+NULL,'a'-- HTTP/1.1
So now we need to concatenate the values from the usernames and passwords columns in the user’s table. In order to do this, we can use the following characters ‘
||'~'||‘. The double pipe and the tilde in single quotation marks will tell the database that we want to merge the data from the usernames and passwords column. The tilde acts as a delimiter character which allows us to see where the username ends and the password begins.
GET /filter?category=Accessories'+UNION+SELECT+NULL,username||'~'||password+FROM+users-- HTTP/1.1
The SQL Injection with Concatenation
So now that we have our syntax, we can append it to the request and forward it back to the application. Once the server processes the request, we should have the results of the SQL injection at the bottom of the page. The username and passwords will be separated with a tilde.
And that’s it. All you need to do now is to grab the administrator username and password and login to the application to complete the lab. The power of concatenation is awesome, I learned a lot from this lab.