SQL Injection – UNION attack, retrieving data from other tables | PortSwigger Lab Note #4

target：

• Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-using-a-sql-injection-union-attack-to-retrieve-interesting-data/sql-injection/union-attacks/lab-retrieve-data-from-other-tables

• Tools Used:

1. browser

2. Burp suite

Vulnerability Summary：

• Type: SQL Injection

• Description:

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Steps to Exploit：

1.Using the technique mentioned in the last note, we can determine the number of columns returned by the query and which columns contain text data. Verify that the query returns two columns, both of which contain text.

2.Inject the payload, then obtain the password belonging to the administrator.

Remediation：

• Use parameterized queries / prepared statements

• Use server‑side input validation

• Escape and sanitize user input

Lessons Learned：

When you have determined the number of columns returned by the original query and found which columns can hold string data, you are in a position to retrieve interesting data