Server-Side Attacks | SQL Injection contexts WalkThrough -PortSwigger Labs -Part1-

Hello My Friends, Today I will show you how You can solve all Challenges Portswigger Labs, and I explain All Vulnerability. when I started To solving The Labs, I had a problem that I wasn’t Good enough in PHP, js, and SQL. So make sure to study this Language to understand all payloads and Vulnerabilities .

In This part I will solve SQL injection UNION attack :

Lab 1 : SQL injection UNION attack, determining the number of columns returned by the query :

• In this Lab determine The number of columns returned by The query .
• Product category is filter .
• We use UNION attack to retrieve Data from other tables .

First of all , I Test UNION attack in category parameter and I observed that an error occurs , This let me believe that’s vulnerable to SQLi .

Use Burp Suite to intercept the Request and send it to Repeater , Then Modify the category parameter to add an additional column containing a null value ,

try :

‘ UNION select NULL —
‘ UNION select NULL,NULL —
‘ UNION select NULL,NULL,NULL —
etc.

لازم نحدد العدد الصحيح للاعمدة

Ps : Encode The query

That’s means we have 3 columns .

Congratulations, you solved the lab!

WAIT !!

Another way to find The number of columns :

Test with ORDER BY Payload and when You get an error That’s means we don’t have a Columns.

‘ ORDER BY 1 —
‘ ORDER BY 2 —
‘ ORDER BY 3 —
etc.

لازم نعطي العدد الصحيح للاعمدة

Lab 2 : SQL injection UNION attack, finding a column containing text :

In This Lab we use UNION attack To retrieve data from tables.

First we need to determine the number of columns ,

• use ORDER BY 3 --

And we Make the database retrieve the string : ‘****’

Congratulations, you solved the lab!

Lab 3 : SQL injection UNION attack, retrieving data from other tables

In this Lab we retrieve data from specific Table called Users , with 2 columns called Username and password .

• Determine number of columns
• Use this query ‘ UNION SELECT username,password FROM users —

and log in to the account as an administrator.

Lab 4 : SQL injection UNION attack, retrieving multiple values in a single column .

In this Lab we need to retrieving multiple values in a single column .

So first, Test the columns that contain text data,

• use : ‘ UNION SELECT NULL,’absc’ —

and we can Concatenate together multiple strings to make a single string to retrieve the contents of the users table :

‘ UNION SELECT NULL,username||’~’||password FROM users —

then Go login :

You can concatenate together multiple strings to make a single string.
Oracle ‘foo’||’bar’
Microsoft ‘foo’+’bar’
PostgreSQL ‘foo’||’bar’
MySQL ‘foo’ ‘bar’ [Note the space between the two strings]
CONCAT(‘foo’,’bar’)