Disclaimer: The techniques described in this document are intended solely for ethical use and educational purposes. Unauthorized use of these methods outside approved environments is strictly prohibited, as it is illegal, unethical, and may lead to severe consequences.
It is crucial to act responsibly, comply with all applicable laws, and adhere to established ethical guidelines. Any activity that exploits security vulnerabilities or compromises the safety, privacy, or integrity of others is strictly forbidden.
Table of Contents
Summary of the Vulnerability
This lab demonstrates a SQL injection UNION attack within the product category filter of an application. The vulnerability occurs because the server-side SQL query directly incorporates unsanitized user input. As a result, an attacker can manipulate the query logic and inject additional SQL statements.
In this scenario, the attacker's goal is to determine how many columns the underlying SQL query returns. This step is essential because a successful UNION-based attack requires the injected query and the original query to return the same number of columns. To achieve this, attackers typically inject NULL values until the query executes successfully, revealing the correct column count.
Steps to Reproduce & Proof of Concept (PoC)
① Open the SQLi lab in your browser.
② Navigate to the vulnerable filter page. In this example I used the Gifts category:
https://<your-lab-id>.web-security-academy.net/filter?category=Gifts③ In Burp, open HTTP history and send the GET /filter?category=Gifts request to Repeater.
④ Inject a single quote (') into the category parameter to trigger a SQL error.
⑤ After confirming an error is returned, enumerate the number of columns using ORDER BY. Terminate the rest of the original query by commenting it out (MySQL uses -- to comment the remainder).
Example approach: try
ORDER BY 1,ORDER BY 2, … until the server returns an error; the last number that works indicates the column count.
⑥ I initially tested with 5 columns and still received an error. I then reduced the column count from 5 to 3. When the page loaded normally, this indicated the query returns 3 columns.
⑦ With the column count identified, use UNION to return an extra row of NULL values matching the column count. Because the lab's objective is to determine the number of columns, the payload used was:
'+UNION+SELECT+null,null,null--+-
⑧ Return to the browser — the lab should now be solved.
Impact
If this vulnerability exists in a production environment, the consequences can be severe. An attacker could enumerate database structure by identifying the number of columns, which is the foundation for building more advanced payloads.
📢 Enjoyed this post? Stay connected! If you found this article helpful or insightful, consider following me for more:
- 📖 Medium: bashoverflow.medium.com
- 🐦 Twitter / X: @_havij
- </> Github: havij13
🙏Your support is appreciated.