Level 02 · UNION-based Injection

Exfiltrate everything

This product search filters by category. The query selects 4 columns. Use a UNION attack to make the query return data from other tables — including the secrets table that holds a flag.

Objective

Extract the flag value from the secrets table. The flag is in the format FLAG{...}.

Loading SQLite engine

Product Search

The methodology

[ HOW UNION ATTACKS WORK ]

Confirm injectability — submit a single quote (') and see if you get an error or weird behavior.
Find the column count — UNION requires both sides to have the same number of columns. Try UNION SELECT 1, then 1,2, then 1,2,3... until no error.
Find string-compatible columns — replace numbers with 'a' to see which columns can carry text values.
Enumerate the schema — query sqlite_master in SQLite or information_schema.tables in MySQL/Postgres.
Exfiltrate — UNION SELECT from interesting tables and read the data from the rendered output.

Why parameterized queries fix this — your input is treated as a literal value for the WHERE clause. Even a perfectly crafted UNION payload gets treated as one really weird-looking category name. No SQL parsing.