SQL injection UNION attack, retrieving multiple values in a single column

Hey hackers! This is a write up of Lab # 6 SQL injection on Web Security Academy.

• This lab aims to retrieve all usernames and passwords and use the information to log in as an administrator user using the SQL injection vulnerability in the product category filter. The results of the injection(the usernames and passwords) should be shown in the application window.

First, we need to know how many columns are in the product category.

‘UNION+SELECT+NULL,+NULL — -

Two columns were found!

Secondly find which of the two columns is storing text.

‘UNION+SELECT+NULL,‘ABC’ — -

The second column has the text!

Only the second column is storing text but we need to get both the username and password from this column we, therefore, need to concatenate the strings (username and password) but we need to know the database version so we are able to use the correct SQL injection…

‘UNION+SELECT+NULL, version()- — didn’t produce an error

…PostgreSQL is therefore the correct database version. So we will use its respective string concatenation syntax

‘UNION+SELECT+NULL,username||’~’||password+FROM+users — -

This yielded the username and password from the column users and seperated the results with ‘||~ ||’

With the information retrieved, we will now log in to administrator with the password stated.

We have successfully completed the lab. Thanks again for joining me on another walkthrough.