Challenge Description
The origin hides its Server header. Determine which web server powers this app anyway.
Objective
The product catalog has a hidden product with a secret flag. Use UNION-based SQL injection to extract data from columns that aren't normally displayed.
What you'll learn
- How to determine the number of columns in a query
- UNION-based SQL injection technique
- Extracting data from hidden columns
Need a Hint?
Trigger a server-generated error (e.g., 405 at /probes/methods) to fingerprint behavior.
Steps to solve:
- Find the number of columns using ORDER BY
- Craft a UNION SELECT with matching columns
- Query the secret_flag column from products
Useful payloads:
' ORDER BY 1--
' ORDER BY 5--
' UNION SELECT 1,2,3,4,5--MegaMart Product Catalog
Search our amazing products!| ID | Name | Description | Price | Category |
|---|---|---|---|---|
| Enter a search term to find products | ||||
Vulnerable Code
$query = "SELECT id, name, description, price, category
FROM products
WHERE category != 'Hidden'
AND (name LIKE '%$search%'
OR description LIKE '%$search%')";secret_flag column that isn't being selected...