SQL injection Union attack: Finding columns with a useful data type.

Hey there hackers, This is a walkthrough of the second lab of the SQL injection Union attack on Web Security Academy. I hope that you learn something from my experience.

Ok, so we aren’t performing a SQL injection Union attack just to find out how many columns is in a table of an application, that’s just a part of the process. Lost? You can refer to my first blog on SQL injection Union attack to get a better understanding. :) Anywho, we are here, right now reading this blog because we need to get the juicy info, we need the important stuff and this second lab is supposed to help us know how to do that.

So the juicy info like passwords and usernames are usually of a string data type. Now that we know the number of columns, we can now determine which column is holding some of the important stuff. Let’s goo…

This can be done with the UNION SELECT payload which places a string into each column replacing whatever other data type was in it before.

Open Burp Suit and Select Proxy -> Intercept is on

Send to Repeater

In the request window under repeater enter the following SQL injection in the category type :

‘UNION+SELECT+‘4dgrER’,+NULL+NULL- —

‘UNION+SELECT+NULL,‘4dgrER’,+NULL- — (SUCCESS)

‘UNION+SELECT+NULL,+NULL, ‘4dgrER’- —

We had already determined in the previous blog walkthrough that there were only 3 columns in the application’s database. Replace each NULL one at a time with the string value ’4dgrER’

We can determine because there was no error message when the string was entered in column #2 that it can hold string data type.

Thanks for reading. Follow my medium account. Can I get a clap?