Attack Vector Used
- SQL Injection (SQLi) via the product category filter parameter.
- Exploits improper input sanitization to manipulate the SQL query and extract data from other tables (e.g., `users`) when only one column supports text data.
Exploitation Steps
- Intercept the Request with Burp Suite
- Capture the HTTP request containing the category filter.
- Send it to Burp Repeater for manipulation.
- Determine the Number of Columns and Text Compatibility
- Using: ‘
+UNION+SELECT+NULL,'abc'—
- If successful, confirms two columns, with only the second column supporting text.
- Extract Data from the `users` Table (Concatenated in One Column)
- Using: ‘+UNION+SELECT+NULL,username||’~’||password+FROM+users—
- The `||` operator concatenates `username` and `password` with a separator (`~`).
- Verify the response contains usernames and passwords in a single column (e.g., `admin~password123`).
- Use the provided username and password to login.
Mitigation Strategies
- Use Prepared Statements (Parameterized Queries): Ensures user input is treated as data, not executable SQL.
- Input Validation & Sanitization: Restrict input to expected formats (e.g., allowlist valid category values).
- Limit Database Permissions: Ensure the DB user has minimal privileges (e.g., no unnecessary `
SELECT` access). - Web Application Firewall (WAF): Deploy a WAF to detect and block SQLi patterns.
- Error Handling & Logging: Avoid exposing database errors to users; log them securely for debugging.
Conclusion
This lab demonstrates how a UNION-based SQL injection can bypass column limitations by concatenating data into a single text-compatible column. Always secure applications with defensive coding practices and layered protections.
