Portswigger Academy | SQLi Lab
WhoAmI
Hey I am Nour, I am a Second Year Software Engineering student who is interested in cyber security especially red teaming, and I am an “IBM Cyber Security Student Community” Leader where we learn cyber security together, also I am an AWS Community Builder and a CTF player (Try Hack Me)
NOTE: This Is For Educational Purposes Only
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values.
Solution
The first thing we need to do is to click around the application and take notes of the main functionalities
As we see we have 3 main features which are
- Filtering the products that we can buy (All, Accessories, Food & Drink, Gifts, Pets, Tech gifts)
- Viewing the product details
- Logging in
Note: Try to think about how would you find vulnerabilities in those features if this was a real target
Now that we have an idea about what we are dealing with lets open Burpsuite, now we need to intercept the request but how can we do that?
To intercept a request we need to
In Burpsuite
- Open the proxy tab
- Open the Intercept tab
- Press Intercept is off
In the website
- Press on accessories
Now we need to send the intercepted request to the repeater we can do that by two ways the first one is by using a keyboard shortcut which is CTRL + R or we can press Right Click and then choose Send to Repeater from the menu
Now let’s check the intercepted request
Here we see the category parameter that we need to exploit using the UNION operator but what is the UNION operator used for?
SQL Crash Course
What is SQL?
- SQL or Structured Query Language is a language used for storing, manipulating and retrieving data in databases
What does a database consist of?
- A database is a table consisting of columns (fields) and rows (records) where each column contains a specific attribute and each row features a certain value for the corresponding attribute.
What is a Query?
- A query is a request for data or information from a database table or combination of tables.
- SELECT … FROM: used to select data from the database
- UNION: The UNION operator is used to combine the result of two or more SELECT statements (The number and order of the columns must be the same in all queries)
NOTE:
NULL is used for attributes that have no value
— — is used to comment the query
To check for SQL injection we can add ‘ in the URL, this will cause a syntax error
Now that we know that the application is vulnerable to SQL injection let’s craft an exploit, our goal is to know how many columns are there?
We will start with
'UNION SELECT NULL, NULL--
(Don’t forget to encode the URL by selecting the payload then pressing CTRL + U)
But this will give an error because there are more columns, so we will keep adding ,NULL until there are no errors
The final payload
'UNION+SELECT+NULL,+NULL,+NULL--
Newsletter
I will be sharing my learning journey, cyber security news, new CVEs and study resources, and more, feel free to subscribe 😊 and please don’t forget to drink water 🌊
