UNION-based SQL injection used to enumerate database tables, extract credential columns, dump usernames and passwords, and log in as the administrator.
Write-Up by Aditya Bhatt | UNION-Based SQLi | Database Enumeration | BurpSuite
⚡ TL;DR
A UNION-based SQL injection in the product category filter lets us:
- Detect column count
- Enumerate all tables via
information_schema - Identify the users table (
users_jzxhga) - Extract credential columns (
username_bwgqeq,password_wziyaf) - Dump all usernames + passwords
- Log in as administrator
Simple UNION SQLi → Full DB compromise → Admin access 🔥
Press enter or click to view image in full size
📝 Brief Introduction
This PortSwigger lab simulates a real-world SQL injection scenario where the product category filter is vulnerable to injection. Because the application reflects SQL results directly in the response, it becomes trivial to perform UNION-based enumeration, extract sensitive data from backend tables…