Hello everyone I hope you are doing good, I have started to share my walk through for portswigger labs which are good for learning web application pentesting and I find them useful so I am going to and share the solution here.
SQL injection UNION attack, determining the number of columns returned by the query
The description of this labs says that sqli vulnerability exists in category filter of the web application meaning that we need to test sqli on the GET parameter category
Select one of the category on web application we can see that the url contains a parameter named “category”
Here let’s test for blind sqli first to see if we can break the application so I am going to supply a single quote '
And notice that we get an error , now let’s add a boolean query ' and 1=1 --, what this query will do first will close the previous query with ' and then it's going to check the condition if "1=1" is TRUE which will always return TRUE and -- will comment out the rest of the query
We can confirm that sqli vulnerability exists so now is the time to see how many columns are there in the table so then we can extract information from the database in order to do that we are going to use ORDER BY which sorts the data according the column number we provide , it's a good way to see if the column exists or not. We keep doing this until we get an error and if we get an error we conclude that we have found the number of columns on which it didn't gave an error so let's test this
We get a result which means there’s 1 column , let’s test for 2
Now for 3rd column
It shows us a result means that 3rd column also exists in the table
On the fourth column it gave us an error meaning only 3 columns exists in the table so now we can use union based sqli to get the results from the database
Gifts' union select null,null,null --With this we have completed this lab but I want to a step further to see if I can dump the database name, version ,table and etc.
In order to do that the column data type must be the same like if we want to see the version of database it’s in string so the column data type must be string too so it won't work in 1st column
Let’s try it on the second column maybe it’s a string data type
Gifts' union select null,version(),null --And we got to know the version of database being used which is postgreSQL so we can try to list the databases
We can also do this automatically with a tool called sqlmap
Here -u is for specifying a url , --batch is for automating the Y/N questions we get like when perform tests on the parameter and lastly --dump is to retrieve the data from the table
It can dump the data from the tables
