SQL injection vulnerability in WHERE clause allowing retrieval of hidden data - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki

Welcome to the PortSwigger-SQL-injection-Labs wiki!

Hello.we will solve the first lab of sql injection lab in portswigger labs but first we need to know what is SQL and how does work , let's start

What is SQL ?

it's stands for structure query language and which is a programming language designed for storing, manipulating, and retrieving data in a relational database, it used to handeling request that come from users to database to fetch specific data to users.

it based on tables and every tables has columns and raws such as this example :-

1

there are various database management systems such as MySQL, Oracle, and Microsoft SQL

attackers can abuse database that relate with public applications and websites via send malisoious query to database and database retrive sensitive data to attacker suchas passwords, ID Card number, modify, delete sensitive data or even take control of the entire database.

after learn what is sql and how this work let's solve the first lab

2

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:

( SELECT * FROM products WHERE category = 'Gifts' AND released = 1 )

EXPLAIN: this query indicate to select all oinformations from from product table and category column must have a value of Gifts and The released column must have a value of 1 .

now let's solve the lab

  • tuern on foxyproxy tool to intercept http request

3

  • goto home page of lab

4

  • open burpsuit

5

  • goto lifestyle categorie

7

request will display on burp suite

  • send request to repeater

6

  • add this query into the first line ( '+OR+1=1-- )

8

  • ExPLAIN: we need to break query to receive with sensitive information, and the same time we dont know username, so this query '+OR+1=1-- is condation and tell database if the first condation is false execute the second condation, i mean the first condition is real username and it's false and second condation is query start with ' to break syntax and add or tell database is second condation is true because its realy 1 is equal 1 , and add -- is a comment and tell database the end of query, sometimes we need add " -- - " but it's not perementaly it based on how database handeling requests and type of database.

9

after add query we solve the lab, its very easy

thank you