SQL Injection Vulnerability in WHERE Clause Allowing Retrieval of Hidden Data

1 week ago 22

BOOK THIS SPACE FOR AD

ARTICLE AD

A Portswigger Lab

Welcome!

Lab Description:

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

What is SQL?

Structured Query Language (SQL), is a standard language for storing, manipulating and retrieving data in databases. Although there are several different versions of SQL (i.e. MySQL, PostgreSQL, SQLite), in order to be compliant with the American National Standards Institute (ANSI) standard, they all support at least the major commands (such as SELECT, UPDATE, DELETE, INSERT, WHERE).

When an attacker is using SQL injection attacks, they are targeting the site’s databases. User’s names, passwords, credit card numbers,medical information. All this info, and so much more, is stored in databases.

Yottabytes upon yottabytes of data. Yep it’s a word.

Let’s say you are shopping for a new television. You log into your favorite shopping site to search for TV’s price is between $500 and $1,000. the site may use a SQL query, like the following, to display only the relevant TV’s.

-- Example query.
SELECT * FROM tvs WHERE price BETWEEN 500 AND 1000;

SQL is generally considered user-friendly and accessible, making it an ideal language for beginners to grasp. However, as datasets grow in size, navigating through extensive data can be challenging and can potentially lead to confusion.

Now, let’s get started!

Note:

I will be using Burpsuite Community Edition to help complete this lab, so you may want to have that up and running. If you’re not sure what Burp is or how to use it, check out Burpsuite Basics (FREE Community Edition) by John Hammond.

Access the lab. In this lab our target site is a simple shopping site with various products. These products are stored in a database and can be retrieved and sorted by using filters.

A simple shopping site with a red arrow pointing at the ‘Gifts’ filter button.

Click on ‘Gifts’ to filter.

Our goal is to get the site to list ALL of it’s products when it is only supposed to be showing us ‘Gifts’.

But how are we going to accomplish this? There is no search bar or form to inject our SQL payload. Let’s try the URL.

After clicking on the ‘Gifts’ filter button:

<-- Your URL will look like the following -->
https://<Your_Unique_Subdomain>.web-security-academy.net/filter?category=Gifts

Now we need to find our target site in Burp. Click on the ‘Target’ tab and locate our target site, in the site map, on the left hand.

Screenshot of Burp showing where ‘Target’ tab is and where to find our target site.

Expand the target site to find our the request for the ‘Gifts’ filter page. Right-click on our filter category and select ‘Send to Repeater’ from the drop-down menu.

Screenshot of Burp showing where to find ‘/filter?category=Gifts’ in the site map.

In Burp Repeater we can manipulate the request and repeatedly send modified requests to the server to see the individual responses. This makes tasks like checking for SQL injections and XSS attacks a lot easier.

Screenshot of Burp Repeater showing Intruder with payload entered (‘+OR+=1)

Click on ‘Repeater’ tab.In the GET request, on the left hand side, if you highlight the part of the URL you want to alter, you will see it show up in the ‘Inspector’, on the right hand side.Here, in the ‘Inspector’ ‘Decoded from:’ text box, is where we will enter our payload to test.Our payload is returned to us, URL encoded, in the ‘Selected text’ text box.<-- Remember our URL. -->
web-security-academy.net/filter?category=Gifts/filter — Path.? — Indicates a query is being made.category=Gifts — Query parameters.

In this case we know the query being made is a SQL query that may look something like this:

SELECT * FROM products WHERE category = 'Gifts';

Notice ‘Gifts’ in single quotes. In many cases, SQL databases typically use single quotes (‘) to denote string literals.

This is why we are going to start our payload with a single quote, (‘).

-- Our complete little payload
'+OR+1=1--

We are going to append an OR condition to the query parameter. Our condition, (1=1), will always evaluate to true, effectively bypassing any preceding conditions in the WHERE clause.

The double hyphen at the end of the payload will comment out any remaining part of the original query.

This should show us not only the products categorized as ‘Gifts’, but all their products regardless of their category.

In the Burp Inspector Decoded from text box add our payload to the end of ‘Gifts’ and click the orange ‘Apply Changes’.

Screenshot showing URL encoded payload and where to click the send button.

This will change your GET request to include our URL encoded payload

Click the orange ‘Send’ button. You should receive a 200 OK response and you should get a ‘Congratulations’ on the web page that you solved the lab. However, the page will not show ALL of the products.

There are two ways to accomplish this:

In Burp Repeater, click on the ‘Render’ tab in the response area. The page will be displayed here.

2. Add our payload directly to the end of the page’s URL and press ‘Enter’.

<-- Your URL should look like the following -->
https://<Your_Unique_subdomain>.web-security-academy.net/filter?category=Gifts'+OR+1=1--

Congratulations! You solved the first of Portswigger Lab’s SQL injections labs. Keep it up!

See you next time!

Up Next:

SQL Injection Vulnerability Allowing Login Bypass

Read Entire Article