Solving Portswigger Academy: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
In this lab we are going to exploit the SQL injection and try to retrieve hidden data.
This lab contains a SQL injection vulnerability in the product category filter.To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
Access the lab and you will see the page where there are multiple categories.
First select any category I will use gift and check the request and response in burp suite.
To test if application is vulnerable to SQLi, I append a comma at the end of the GET request and it gave server error.
Now add another comma and I receive 200 OK which confirms SQLi.
As we know the application is using the query as
SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1
We need to display all product in Gifts category whether it is released or not. So we need to use the payload like Gifts’+OR+1=1+ — .
The query then become like
SELECT * FROM products WHERE category = ‘Gifts OR 1=1 — ’ AND released = 1
This will display all the gifts and our lab will be solved.
