SQL injection with filter bypass via XML encoding - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki
hello, today we are going to solve the last lab in portswigger SQL injection and particularly it has new technique of Blind SQL injection.
The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user’s credentials, then log in to their account.
preparing the lab:
goto home page and open burpsuite tool to intercept request.
Let’s click one of those products!
check stock then send request to repeater
As you can see, this form is sending a POST request to /product/stock, and it requires a parameter called productId and storeId.
no we need to detect vulnerability. probe the storeId to see whether your input is evaluated. For example, try replacing the ID with mathematical expressions that evaluate to other potential ID.
Observe that your input appears to be evaluated by the application, returning the stock for different stores.
now we need to determine the number of columns returned by the original query by appending a UNION SELECT statement to the original store ID. will use query as following:
1 UNION SELECT NULL
-Explain: start with storeid this store in application and number of stores is 1. then use our query and starting with union select. In SQL, the UNION operator is used to combine the results of two or more SELECT statements into a single result set. Then use SELECT NULL for allows you to retrieve the expected number of rows without returning any actual data.
now send request and see what happen :
Observe that your request has been blocked due to being flagged as a potential attack. WAF is Detect our request .
- what is WAF? stands for Web Application Firewall, is a security solution that protects web applications from various types of attacks. It is specifically designed to defend against threats targeting the application layer of the web stack. The primary goal of a WAF is to identify and block malicious traffic before it reaches the web application.
WAFs can provide protection against a wide range of attacks, including but not limited to:
1)SQL Injection: An attack where malicious SQL queries are injected into a web application's database. 2)Cross-Site Scripting (XSS): A type of attack where malicious scripts are injected into web pages viewed by other users. 3)Cross-Site Request Forgery (CSRF): An attack that tricks authenticated users into performing unwanted actions without their knowledge. 4)Remote File Inclusion (RFI): An attack where an attacker includes remote files on a web server to execute arbitrary code.
next step is Bypass the WAF becouse Looks like there are some filtering that blocks our SQL injection payload!
To bypass XML-based SQL injection, we can use an XML escape sequence!!
For example, we can use an online tool to encode XML strings:
step way to bypass WAF is use tool in burp suite called Hackvertor. try obfuscating our payload with this tool. we can find it in extensions then search on word and install:
now we need to change format to bypass WAF. steps to use hackvertor :
heilight my exploit > right click > extintions > hackvertor > encode > hex_entities . query will be as following.
after send the request our query bypassed
now let's add another NULL
and we get 0 units so there's definitely only one column in the application, so we are only able to output the content in one column which means if we're trying to output the content of two columns which is usernames and passwords columns, we need to concatenate them in one column.
query will be as following:
<@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities>
send the rquest :
we get usernames and passwords. administrator~ylgsuolrqxkfhwfjtkhh
go to login page and login wth administrator user
and lab has been solved 🥇