Problem Statement :
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
To first find how many tables are there we can use Order by
' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- ' ORDER BY 4-- (This one returned error.)
The KYE here is that we need to first find the number of columns we found. Based on that we need to construct the String finding query. Example these are 3 columns first null first column, 2nd null 2nd column, in place of 3rd null 3rd column we placed our string. (NULL, NULL, ‘a’)
Same way if we figure out there are 4 tables then add 4 nulls to probe those 4 columns (NULL, NULL, NULL, NULL).
' UNION SELECT 'a', NULL, NULL-- ' UNION SELECT NULL, '3WP4t1', NULL-- ' UNION SELECT NULL, NULL, 'a'--
note : Refer to Lab 3 for the example using the SQL database, like what and how we see these queries in database side.