Portswigger Academy | SQLi Lab

WhoAmI

Hey, I am Nour I am a Software engineering student, and here are some of the communities that I am part of:

  • IBM Community leader and IBMZ Student Ambassador
  • AWS Community Builder
  • Microsoft Student Ambassador

also, I love solving and creating OSINT CTFs at @Hacktoria connect with me on LinkedIn and Twitter

ps: I love talking to everyone

now enough introductions and let’s get into today’s lab hehe

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

NOTE: This Is For Educational Purposes Only

Solution

Before we do anything we need to understand the application so let’s click around and note down the interesting functionalities that we find

now that we know the main functionalities let’s see what we need to do in this lab

ps: scroll down for an SQL crash course

[Task 1] Determine the number of columns

(scroll down for the sql crash course)

Just like we did in the past two labs we are gonna use the UNION attack (we keep adding nulls until the error disappears and then the number of nulls will be equal to the number of columns)

first, we need to intercept and modify the request that sets the product category filter.

we can start by modifying the category parameter with
'UNION SELECT NULL, NULL--

(Don’t forget to encode the URL by selecting the payload then pressing CTRL + U)

But this will give an error because there are more columns, so we will keep adding, NULL until there are no errors

The Final Payload

'+UNION+SELECT+NULL,+NULL,--

now that we figured out the number of columns let’s get into the next task which is identifying a column that is compatible with string data

[Task 2] Identify a column that is compatible with string data

(scroll down for the SQL crash course)

just like we did in the last lab we can replace the NULLs with a string and if it gave an error then this means this column doesn't have string as its data type

Final Payload

'+UNION+SELECT+'hello','world'--

(Don’t forget to encode the URL by selecting the payload then pressing CTRL + U)

[Task 3] Retrieve all usernames and passwords

(scroll down for the sql crash course)

To retrieve the username and password we gonna use the union, select, from operators to craft a query that gets both the username and passwords

Final Payload

'+UNION+SELECT+username,+password+FROM+users--

you might wonder why did we use those columns' names (username, password, and users)?

That's because they wrote it in the lab prompt.

now all we need to do is login with the username and password that we found

SQL Crash Course

What is SQL?
- SQL or Structured Query Language is a language used for storing, manipulating and retrieving data in databases

What does a database consist of?
- A database is a table consisting of columns (fields) and rows (records) where each column contains a specific attribute and each row features a certain value for the corresponding attribute.

What is a Query?
- A query is a request for data or information from a database table or combination of tables.

- SELECT … FROM: used to select data from the database

  • UNION: The UNION operator is used to combine the result of two or more SELECT statements (The number and order of the columns must be the same in all queries)

NOTE:
NULL is used for attributes that have no value
- -is used to comment the query

What does data type mean?
In computer science and computer programming, a data type or simply type is an attribute of data that tells the compiler or interpreter how the programmer intends to use the data. Most programming languages support basic data types of integer numbers (of varying sizes), floating-point numbers (which approximate real numbers), characters, and Booleans. A data type constrains the values that an expression, such as a variable or a function, might take. This data type defines the operations that can be done on the data, the meaning of the data, and the way values of that type can be stored. A data type provides a set of values from which an expression (i.e. variable, function, etc.) may take its values. (According to Wikipedia)

What is a string data type?

In computer programming, a string is traditionally a sequence of characters (a word for example) (According to Wikipedia)

Newsletter

I will be sharing my learning journey, cyber security news, new CVEs and study resources, and more, feel free to subscribe 😊 and please don’t forget to drink water 🌊

⭐I love connecting with different people so if you want to say hi, I’ll be happy to meet you more! :)

LinkedIn
Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store