SQL INJECTION(redtiger.lab)-Part 5

aayush malla
4 min readSep 25, 2020


Till now we have completed up to level 5 of redtigerlab were we have learned about Normal SQL injection,Blind SQL Injection,Login bypass using SQL Injection.

Today we will be looking into different approach of performing SQL Injection known as SQL Injection with nested query here in this type of SQL injection we have to send SQL query within a SQL query to perform the attack.

We will be doing level 6 of redtiger lab which covers the concept of SQL injection with nested query.

Here in level 5 our target is to find the first user in table level6_users with the status 1.

fig 1: Interface of the level 6

Here when we click on click me then the get request with parameter usr=1 is passed and username and email is displayed as shown in the fig 1 .

Step 1: At first we have to find the number of column of the table level6_users. And for this we can use following queries:

1 usr =1 order by 5
2. usr =1 union select 1,2,3,4,5 from level6_users

Here no of columns are determined using hit and trail method and as this is not blind SQL injection it will generate error if we use column number greater than the actual column number. For example if we use any number > 5 in order by query then webpage will display error as level6_users table have 5 columns and the resultant query will be a false query.

If we use column number <5 then it will not generate error as the query will be a true query.

fig 2: Error when we send false query

Step 2: Now we have to find the column Number which can be used to display information is website.

Here id =1,2,3,4 give a valid user detail so we use any number other than 1,2,3,4 lets say 8

So now the query will be.

usr = 8 union select 1,2,3,4,5 from level6_users where status =1#

But using this query webpage will display user not found.

fig 3: user not found

This means we have to find the position of username and password column in the table level6_users through hit and trial.

Here by hit and trail i found out that using username in 2nd column gives username as admin.

But password was not found on any of these columns. Which means that we can use only 2nd columns to generate data.

And to do so we have to use nested query.

Now lets try to inject the query ‘ union select 1,2,3,4,5 from level6_users where status=1# in place of 2nd column.

8 union select 1,‘ union select 1,2,3,4,5 from level6_users where status=1#,3,4,5 from level6_users where status=1 #

But we can’t write it directly as it will consider both queries as a single query. So to overcome this we have to convert the nested query(query written in 2nd column)into hexadecimal value.Now the above query will be

8 union select 1 ,0x2720756e696f6e2073656c65637420312c322c332c342c352066726f6d206c6576656c365f757365727320776865726520737461747573203d3123,3,4,5 from level6_users where status =1 #

Now we get the columns in nested query from which we can extract information.

fig 4: Identified column number from which data can be extracted

Now we know that using column 2 and 4 in nested query we can display information.

So the nested query will be :

‘ union select 1,username,3,password,5 from level6_users where status=1 #

Now converting the above query into hexadecimal value and passing in column 2 of the parent query the resultant query will be:

8 union select 1,0x2720756e696f6e2073656c65637420312c757365726e616d652c332c70617373776f72642c352066726f6d206c6576656c365f7573657273207768657265207374617475733d31202327,3,4,5 from level6_users where status=1 #

Now on passing the above query in parameter usr. we get the following result.

fig 5: username and password extracted

Here we successfully extracted the username and the password using nested query to perform SQL Injection.

Hence in scenarios like above we can use nested queries to perform SQL Injection.




aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst