Burp Suite User Forum

Login to post

Lab#SQL injection attack, querying the database type and version on MySQL and Microsoft

anarchia.2030 | Last updated: Nov 19, 2020 07:27PM UTC

Dear all, my question refers to https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft. I already tried setting injectable parameter to following payloads without success: - ' UNION SELECT 'abc', 'def'--, - ' UNION SELECT @@version,NULL# (given solution) Any help is highly appreciated :)

Ben, PortSwigger Agent | Last updated: Nov 20, 2020 09:10AM UTC

Hi, Are you trying to enter these payloads via the address bar of your browser or through Burp?

anarchia.2030 | Last updated: Nov 20, 2020 12:53PM UTC

Hey, I tried it via burp now and it just worked out. Thanks =) Still confused where the difference is and why it was working on previous labs?

Ben, PortSwigger Agent | Last updated: Nov 23, 2020 02:14PM UTC

Hi, With the given solution, the payload is using a special character that, if you want to simply add it into the address bar, will need to be encoded for it to work as intended.

You need to Log in to post a reply. Or register here, for free.