> For the complete documentation index, see [llms.txt](https://shadowforge.gitbook.io/shadowforge-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shadowforge.gitbook.io/shadowforge-writeups/bugforge.io/readme.txt/daily-labs/sqli/copypasta.md).

# CopyPasta

> Today we have a lab with the hint ***SQLi***

Like usual, we click around in the application and look in Burp to see what we can use. Today was a bit harder and that's because I did not click all functionality.

When you share a snippet, a share link is created. This one is vulnerable to ***SQLi.***

<figure><img src="/files/4RbhUJ4cQha2JXN8IN2s" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/wrdUJtgzTNsY3kR22KHY" alt=""><figcaption></figcaption></figure>

When we take that same request and put it into Burp, we can start crafting our `union select` attack. When I hit 6 nulls, I got feedback. Usually the flag is in the password of the admin, so I crafted the payload `' union select 1,password,null,null,null,null from users—`&#x20;

<figure><img src="/files/0O78d8mC1JdlOmlqupXT" alt=""><figcaption></figcaption></figure>

And with the response, my flag 🇧🇪 was readable.
