1.6 KiB
Portswigger SQLi-Lab 2
SQL injection UNION attack, finding a column containing text
So in this lab following the previous one , we know that the category
parameter is vulnerabile to sqli and we know the exact number of columns so we can perform union based sqli . Here we need to show a random string using union sqli so let's begin
We can see the random string that we need to retreive so selecting any category will make the url appear with the GET parameter category
Performing union based sqli
The reason we used null
is because we don't know yet the data type of the columns being used in the table so by supplying null data type it's convertable to every data type that is why used it so it can increase our chances that column count is correct we won't get any errors
Now to retrevie the random string we first need to identifiy which column is using data type string
or varchar
in DBMS terms. We can use version()
which returns the version of database being used as string so we can use it to identify which column is using string data type
The first column is not compatible , let's try the second column
Neat , we now know the second column uses string data type so we can just add random string like this
Gifts' union select null,'hXl2ys',null --
The reason we are using single quotes is because this is a string
With this we have solved this lab