Introduction
SQL Injection (SQLi) remains one of the most critical vulnerabilities in web applications. In this write-up, I walk through a hands-on attack methodology using Burp Suite to identify, exploit, and extract sensitive data from a vulnerable product category filter. This process covers query structure discovery, table and column enumeration, and credential extraction, ultimately leading to full administrative access.
Attack Methodology
- Identify and Intercept: I identified a product category filter as a potential injection point. I used Burp Suite to intercept the request and sent it to the Repeater.
Determine Query Structure:
I used ‘+UNION+SELECT+NULL,NULL-- -- to confirm the number of columns
- I used ‘
+UNION+SELECT+'abc','def'--to confirm their data types, verifying that the query returned two text-based columns.
Enumerate Tables: By querying information_schema.tables, I retrieved a list of all tables in the database. The payload used was ‘+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--. This led to the discovery of a table containing user information, named users_hzstpf.
Enumerate Columns: I then queried information_schema.columns to list the column names within the discovered table: '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_hzstpf'--. This identified the username_zlhwho and password_noznbv columns.
Extract Credentials: The final step was to craft a payload that extracted all usernames and passwords: ‘+UNION+SELECT+username_zlhwho,+password_noznbv+FROM+users_hzstpf--. The administrator’s credentials were found in the results.
Login and Completion: Using the extracted password, I logged in as the administrator, successfully completing the lab objective.
Summary
This post explains step-by-step how I identified an SQL injection point in a product filter, confirmed the query structure, enumerated database tables and columns, extracted sensitive user credentials, and successfully logged in as an administrator. Using Burp Suite and UNION-based SQL injection payloads, I demonstrate how attackers approach vulnerabilities and why proper input validation and secure coding practices are essential for defense.
