Introduction
Lab 8 demonstrates a UNION-based SQL injection technique to identify which column in a multi-column query can display text. Using Burp Suite Repeater, the exercise injects a known marker string into each column to discover the text-capable column for later data extraction.
Methodology
- Intercepting the Request: I first navigated to the website’s product page and selected a category. Using Burp Suite’s proxy, I intercepted the request containing the category parameter, which was my target for injection. I then sent this request to the Repeater tool.
- Column Enumeration: The first step of any UNION attack is to determine the number of columns. Based on my previous experience with the lab, I knew the query returned three columns. I confirmed this using the payload
'+UNION+SELECT+NULL,NULL,NULL--,which returned a successful response without any errors.
- Finding the Text Column: My goal was to find which of the three columns could display text. I did this by replacing each
NULLvalue with a random string provided by the lab (‘oihkou‘) one at a time.
- Attempt #1: ‘
+UNION+SELECT+'oihkou',NULL,NULL-- (Error)This indicated that the first column was not a text-based column.
- Attempt #2: ‘
+UNION+SELECT+NULL,'oihkou',NULL-- (Success!)This attempt returned a successful response, with the string “oihkou” displayed on the webpage.
- Attempt 3:
'+UNION+SELECT+NULL,NULL,'oihkou'-- (Not tested)Testing the third isn’t necessary because the second attempt returned success.
Summary
I intercepted the product category request with Burp Suite and verified the query returned three columns using a +UNION+SELECT+NULL,NULL,NULL-- payload. To find which column could render text, I replaced each NULL with the lab-provided marker string oihkou one at a time. The first attempt ('oihkou',NULL,NULL) errored, while the second attempt (NULL,'oihkou',NULL) returned successfully and displayed oihkou on the page. This confirmed the second column can hold and display text, so further extraction payloads should target that column.
