|
| 1 | +## Machine Spirits & Malicious Queries: A SQL Injection Lab Chronicle |
| 2 | + |
| 3 | +In the grim darkness of the modern internet, there is only… vulnerable input fields. |
| 4 | + |
| 5 | +Recently, I completed a hands-on cybersecurity lab from portswigger focused on identifying the number of columns returned by a database query using a **UNION-based SQL Injection technique**. While performing the exercise, I couldn’t help but imagine the process through the lens of the techno-mystic engineers of the Adeptus Mechanicus from the universe of Warhammer 40,000. |
| 6 | + |
| 7 | +To them, machines possess spirits. To a security tester, applications behave in similarly mysterious ways—responding to carefully crafted inputs like ancient systems awaiting the correct command rites. |
| 8 | + |
| 9 | + |
| 10 | +## The Lab Objective: Decoding the Machine |
| 11 | + |
| 12 | +The application in the lab contained a **SQL injection vulnerability in a product category filter**. Because the query results were reflected in the application response, it allowed the use of a **UNION-based attack** to retrieve data from other tables. |
| 13 | + |
| 14 | +But before extracting any hidden knowledge from the database, the first ritual must be performed: |
| 15 | + |
| 16 | +**Determine the number of columns returned by the original query.** |
| 17 | + |
| 18 | +Without this knowledge, a UNION attack will fail—much like a Tech-Priest attempting to interface with a sacred machine without first understanding its ports and conduits. |
| 19 | + |
| 20 | + |
| 21 | +## The Ritual of Incremental UNION Queries |
| 22 | + |
| 23 | +The method used involves submitting a sequence of payloads that gradually increase the number of `NULL` values: |
| 24 | + |
| 25 | +``` |
| 26 | +' UNION SELECT NULL-- |
| 27 | +' UNION SELECT NULL,NULL-- |
| 28 | +' UNION SELECT NULL,NULL,NULL-- |
| 29 | +``` |
| 30 | + |
| 31 | +Each attempt is a probe into the machine’s inner structure. |
| 32 | + |
| 33 | +If the number of columns in the injected query **does not match** the original query, the database responds with an error such as: |
| 34 | + |
| 35 | +> “All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.” |
| 36 | +
|
| 37 | +In other words: *the rite was performed incorrectly.* |
| 38 | + |
| 39 | + |
| 40 | +## Why NULL is the Sacred Offering |
| 41 | + |
| 42 | +In this technique, `NULL` values are used because of their flexibility. |
| 43 | + |
| 44 | +Databases require that the data types in both queries be compatible. Since `NULL` can be converted into most data types, it becomes the perfect placeholder when trying to match the column structure of the original query. |
| 45 | + |
| 46 | +Think of it as offering a **universal key** to the machine spirit—one that fits almost any lock. |
| 47 | + |
| 48 | + |
| 49 | +## Observing the Machine’s Response |
| 50 | + |
| 51 | +Once the correct number of `NULL` values matches the column count, the database accepts the UNION query. |
| 52 | + |
| 53 | +At this moment, something interesting happens. |
| 54 | + |
| 55 | +The database returns **an additional row containing NULL values** across all columns. |
| 56 | + |
| 57 | +Depending on how the application processes the response, this may appear as: |
| 58 | + |
| 59 | +* An extra row in a table |
| 60 | +* A new error caused by null values |
| 61 | +* Subtle changes in the HTTP response |
| 62 | +* Or sometimes no obvious difference at all |
| 63 | + |
| 64 | +Interpreting these signals is part science and part intuition—very much like diagnosing the temperament of a stubborn machine spirit. |
| 65 | + |
| 66 | + |
| 67 | +## The Outcome |
| 68 | + |
| 69 | +By iterating through these UNION SELECT payloads, I was able to successfully determine the number of columns returned by the query. |
| 70 | + |
| 71 | +This step is foundational for more advanced exploitation techniques, such as: |
| 72 | + |
| 73 | +* Identifying columns that accept text |
| 74 | +* Extracting database information |
| 75 | +* Retrieving sensitive data from other tables |
| 76 | + |
| 77 | +Once the structure of the query is known, the path to deeper enumeration opens. |
| 78 | + |
| 79 | + |
| 80 | +## Lessons from the Forge |
| 81 | + |
| 82 | +This lab reinforced several key penetration testing principles: |
| 83 | + |
| 84 | + **Understand the structure before exploitation** |
| 85 | + **Observe subtle application responses carefully** |
| 86 | + **Use safe placeholder values like NULL when probing queries** |
| 87 | + **Iterative testing reveals hidden system behavior** |
| 88 | + |
| 89 | +In many ways, penetration testing feels similar to the work of the Adeptus Mechanicus: studying ancient systems, experimenting carefully, and deciphering how hidden mechanisms respond to precise commands. |
| 90 | + |
| 91 | +The difference is that instead of incense and sacred oils, we wield payloads and HTTP requests. |
| 92 | + |
| 93 | +**The machine spirit has spoken—and the query structure has been revealed.** |
| 94 | + |
| 95 | + |
| 96 | +*The Omnissiah approves of well-structured queries… and properly tested applications.* 🔧 |
0 commit comments