PortSwigger Web Security Academy: SQL injection 4

Posted on by Jonobi Musashi
PortSwigger Web Security Academy: SQL injection 4

Hello friends and today HaXeZ is looking at the 4th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the third lab. However, this time there is only one column that supports text. We will need to concatenate the results in order to complete the lab.

SQL injection UNION attack, retrieving multiple values in a single column
SQL injection UNION attack, retrieving multiple values in a single column

SQL injection UNION attack, retrieving multiple values in a single column

We’ve already completed the previous lab that required us to get data from another table. I’m going to skip the steps to determine the number of columns and which of those columns contain text. You will use the same methods used previously to determine this.

The Lab
The Lab

The Application

As you can see from the image below, the application follows the same design as the other ones. It has a navigation menu along the top and a list of products underneath. However, this time we only have the name of the products. Previously, we had a description that allowed us to retrieve both the username and password.

The Application
The Application

Concatenation

Once we’ve worked out how many columns there are, and how many of those columns contain text. It’s time to figure out how we’re going to get the contents from two columns into a single column. This is called concatenation and is particularly useful when you only have one column to work with. In order to do this, we need to intercept the request. After a bit of poking around with the repeater, we have deduced that there are two columns but only the second column allows text.

GET /filter?category=Accessories'+UNION+SELECT+NULL,'a'-- HTTP/1.1

So now we need to concatenate the values from the usernames and passwords columns in the user’s table. In order to do this, we can use the following characters ‘||'~'||‘. The double pipe and the tilde in single quotation marks will tell the database that we want to merge the data from the usernames and passwords column. The tilde acts as a delimiter character which allows us to see where the username ends and the password begins. 

GET /filter?category=Accessories'+UNION+SELECT+NULL,username||'~'||password+FROM+users-- HTTP/1.1
SQL Injection Concatenation
SQL Injection Concatenation

The SQL Injection with Concatenation

So now that we have our syntax, we can append it to the request and forward it back to the application. Once the server processes the request, we should have the results of the SQL injection at the bottom of the page. The username and passwords will be separated with a tilde.

SQL Injection with Concatination
SQL Injection with Concatination

And that’s it. All you need to do now is to grab the administrator username and password and login to the application to complete the lab. The power of concatenation is awesome, I learned a lot from this lab.

Administrator Login