This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
===========================================================
GOAL : → log in as the administrator user.s
===========================================================
Solution :
First we need to know what’s the Type of the database and know How many the columns of the database
→ i use sqlmap to know what’s the type of the Database
sqlmap -u "<https://0a0500a404ddc67480eea8e100b4006f.web-security-academy.net/filter?category=Food+%2526+Drink>" --level=5 --risk=3
WOW! Database type is PostgreSQL
Now we need to Know how many number of columns on this database
use ORDER BY {variable_number} --
variable number it’s like 1,2,3,4