Simple SQL Injection Vulnerability in WHERE clause allowing retrieval of hidden data | 2023
Portswigger Lab Simple Solution — SQL Injection | Karthikeyan Nagaraj
What is SQL Injection?
- SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
- It generally allows an attacker to view data that they are not normally able to retrieve.
- This might include data belonging to other users, or any other data that the application itself is able to access.
- In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.
SQL injection examples
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
- Retrieving hidden data, where you can modify an SQL query to return additional results.
- Subverting application logic, where you can change a query to interfere with the application’s logic.
- UNION attacks, where you can retrieve data from different database tables.
- Examining the database, where you can extract information about the version and structure of the database.
- Blind SQL injection, where the results of a query you control are not returned in the application’s responses.
Retrieving hidden data
- Consider a shopping application that displays products in different categories.
2. When the user clicks on the Gifts category, their browser requests the URL:
https://evil.com/products?category=Gifts
3. This causes the application to make an SQL query to retrieve details of the relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
4. This SQL query asks the database to return:
- all details (*)
- from the products table
- where the category is Gifts
- and released is 1.
5. The restriction released = 1
is being used to hide products that are not released. For unreleased products, presumably released = 0
.
6. The application doesn’t implement any defenses against SQL injection attacks, so an attacker can construct an attack like:
https://evil.com/products?category=Gifts'--
7. This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
8. The key thing here is that the double-dash sequence --
is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment.
9. This effectively removes the remainder of the query, so it no longer includes AND released = 1
.
10. This means that all products are displayed, including unreleased products.
11. An Attacker can cause the application to display all the products in any category, including categories that they don’t know about
Result of Query:
SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1--‘ AND released = 1
Lab Description:
This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.
Analysis:
- Capture the request
Category
and send it to the repeater
2. As the description says that the category parameter is vulnerable to SQL Injection, So let’s try to Inject the below Command
Pets’+OR+1=1--
Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )
Thank you for Reading!!
Happy Hunting ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
portswigger , lab , sql , sql injection , bu , bug bounty , bug hunting , vulnerability , cyber security , cve , karthikeyan nagaraj , cyber wing