Portswigger Academy | SQLi Lab

WhoAmI

Hey I am Nour, I am a Second Year Software Engineering student who is interested in cyber security especially red teaming, and I am an “IBM Cyber Security Student Community” Leader where we learn cyber security together, also I am an AWS Community Builder and a CTF player (Try Hack Me)

NOTE: This Is For Educational Purposes Only

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.

To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values.

Solution

The first thing we need to do is to click around the application and take notes of the main functionalities

As we see we have 3 main features which are

  • Filtering the products that we can buy (All, Accessories, Food & Drink, Gifts, Pets, Tech gifts)
  • Viewing the product details
  • Logging in

Note: Try to think about how would you find vulnerabilities in those features if this was a real target

Now that we have an idea about what we are dealing with lets open Burpsuite, now we need to intercept the request but how can we do that?

To intercept a request we need to

In Burpsuite

  • Open the proxy tab
  • Open the Intercept tab
  • Press Intercept is off

In the website

  • Press on accessories

Now we need to send the intercepted request to the repeater we can do that by two ways the first one is by using a keyboard shortcut which is CTRL + R or we can press Right Click and then choose Send to Repeater from the menu

Now let’s check the intercepted request

Here we see the category parameter that we need to exploit using the UNION operator but what is the UNION operator used for?

SQL Crash Course

What is SQL?
- SQL or Structured Query Language is a language used for storing, manipulating and retrieving data in databases

What does a database consist of?
- A database is a table consisting of columns (fields) and rows (records) where each column contains a specific attribute and each row features a certain value for the corresponding attribute.

What is a Query?
- A query is a request for data or information from a database table or combination of tables.

- SELECT … FROM: used to select data from the database

- UNION: The UNION operator is used to combine the result of two or more SELECT statements (The number and order of the columns must be the same in all queries)

NOTE:
NULL is used for attributes that have no value
— — is used to comment the query

To check for SQL injection we can add ‘ in the URL, this will cause a syntax error

Now that we know that the application is vulnerable to SQL injection let’s craft an exploit, our goal is to know how many columns are there?

We will start with

'UNION SELECT NULL, NULL--

(Don’t forget to encode the URL by selecting the payload then pressing CTRL + U)

But this will give an error because there are more columns, so we will keep adding ,NULL until there are no errors

The final payload

'UNION+SELECT+NULL,+NULL,+NULL--

Newsletter

I will be sharing my learning journey, cyber security news, new CVEs and study resources, and more, feel free to subscribe 😊 and please don’t forget to drink water 🌊

⭐I love connecting with different people so if you want to say hi, I’ll be happy to meet you more! :)

LinkedIn
Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store