From 267a924ec9cd81805d19ff23e57d3a712347a3ea Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Sat, 5 Jun 2021 05:56:07 +0500 Subject: [PATCH] Add files via upload --- Portswigger/SQLi-Labs/Lab4.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Portswigger/SQLi-Labs/Lab4.md diff --git a/Portswigger/SQLi-Labs/Lab4.md b/Portswigger/SQLi-Labs/Lab4.md new file mode 100644 index 0000000..2581b07 --- /dev/null +++ b/Portswigger/SQLi-Labs/Lab4.md @@ -0,0 +1,34 @@ +# Portswigger SQLi-Lab 4 +## SQL injection UNION attack, retrieving multiple values in a single column + +In this lab we need to retrieve data as we did in the previous lab but this time we need to get username and password in a single column so here we have the same application with the same parameter being vulnerable to sql injection + + + + + +We have to columns in the table so we need to extract the data but keep in mind to only utilize one column but in this lab things are a little different if we try to query username and password if we would get an error + + + +Here maybe the first column isn't using `string` data type , let's to query username on second column + + + +And it worked , now with this column name , we need to get `password` as well with the `username` to do that we have to do string concatenation + + + +It worked but doesn't look good maybe we can make better so let's try it + +```sql +Gifts' union select null,username|| ':' || password from users -- +``` + + + +This is perfect now we just need to login to the application as `administrator` + + + +With this we have solved this lab !!! \ No newline at end of file