SQL Injection UNION attack, retrieving multiple values in a single column | PortSwigger

In this video, I demonstrate how to exploit a SQL Injection UNION attack to retrieve sensitive data such as usernames and passwords from the users table of a vulnerable web application.

Key steps shown in the video:
Intercepting the Request:
I use Burp Suite to intercept and modify the request that sets the product category filter, which contains the SQL injection vulnerability.

Determining the Number of Columns:
I first perform a UNION attack to determine how many columns are being returned by the query. The initial payload used is:
'+UNION+SELECT+NULL,'test'--, which helps verify that only one of the columns returns text.

Retrieving Usernames and Passwords:
Once the correct number of columns is identified, I use the following payload to retrieve the usernames and passwords from the users table:
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--.

Logging In as Administrator:
After extracting the credentials, I use the administrator's username and password to log in to the application and gain unauthorized access.

This attack showcases how SQL Injection can be used to bypass authentication and access sensitive information by exploiting a UNION attack to query multiple columns from the database.

#SQLInjection #UnionAttack #BurpSuite #Cybersecurity #Pentesting