PortSwigger "SQL injection vulnerability in WHERE clause allowing retrieval of hidden data" Walkthrough
This is the first of Portswigger’s SQL injection labs. Before we get started, you’ll need Burp Suite installed (check out this blog post for setup instructions), and an Portswigger Academy account.
After logging in, head over to the lab, located at https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data. You can find this through the Academy learning path list, or linked within the SQL injection lab post.
The lab description is as follows:
Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.
The website looks like this, with the Academy banner at the top:
It’s a simple shopping website with a variety of items and a handful of categories.
Finding the SQL injection vulnerability
There’s a couple different ways to interact with the site. We can click on the product “View Details” button to view the individual product page. For example, we can click on a product and get a URL such as:
https://<random-string>.web-security-academy.net/product?productId=6If we want to test this for SQL injection, let’s add a ' at the end and see what happens:
https://<random-string>.web-security-academy.net/product?productId=6'This returns an “Invalid product ID” error:
Our other option for a SQL injection entry point is the categories. For example:
https://<random-string>.web-security-academy.net/filter?category=LifestyleIf we add a ', we get an Internal Server Error (which means that something has gone wrong with the web application logic), so this is probably our entrypoint:
https://<random-string>.web-security-academy.net/filter?category=Lifestyle'
Lab Solution
If you are new to SQL injection attacks, you should read the first section of Portswigger’s SQL injection blog post (“Retrieving hidden data”), but we’ll briefly summarize here.
The presumed SQL query behind our request is something like:
SELECT * FROM products WHERE category = '<category>' AND released = 1
To solve the lab, we need to cause “the application to display details of all products in any category, both released and unreleased.”
To do so, we will need to insert our own logic into the query to select all queries, and we will need to remove the AND released = 1 clause.
To do the first part, we can insert ' OR 1=1 which will execute:
SELECT * FROM products WHERE category = '' OR 1=1 AND released = 1
Select all results from products where the category is blank OR where 1=1 (which is all categories), and then filter where the product is marked as released.
To remove that last clause, we just need to comment things out after the 'OR 1=1 with --.
With our input of ' OR 1=1 --
SELECT * FROM products WHERE category = '' OR 1=1 -- [everything past here is ignored] AND released = 1
Manual Payload
Our payload is 'OR 1=1 -- . To use this, add it to the end of the Category query:
https://<random-string>.web-security-academy.net/filter?category=Lifestyle' OR 1=1 --
You can do this in your browser, and your browser will automatically convert it to URL encoding (changing ' to %27, space to %20 and so on).
The page should update to show that you’ve completed the lab.
Using Burp Suite
If you’d rather use Burp Suite, keep reading. It’s overkill for this lab but is still good practice.
Make the following request while Burp Suite is open: https://<your-random-string>.web-security-academy.net/filter?category=Lifestyle'.
In Burp Suite’s Proxy tab, right-click the request and click Send to Repeater.
Once you open the request in the Repeater tab, click Go (or Send, depending on your version) to make sure you get the Internal Server Error result as expected.
At the end of the request string (/Lifestyle'), type the payload out: OR 1=1 -- .
This must be URL-encoded before it is sent. To do so, select the payload string, right click, select Convert selection > URL > URL-encode key characters.
This will change the string to: GET /filter?category=Lifestyle%27OR+1%3d1+--+
Click Go. This should update your browser session. If the first Burp Suite request does not show a success message within Burp Suite, you can click Go again and it should update:
