Web Security Academy SQL injection Writeups
This is my Web Security Academy SQL injection lab writeups.
https://portswigger.net/web-security/sql-injection
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Description
This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:
1 | SELECT * FROM products WHERE category = 'Gifts' AND released = 1 |
To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
Solution
The problem states that the goal is to see if we can search for unreleased products. From the provided hint sql query, we can infer that the results shown on the webpage are likely filtered by released = 1 .
The webpage allows you to select a category . After selecting a specific category , the URL suffix looks like this:
1 | /filter?category=Lifestyle |
If the category value is directly concatenated into the sql query provided by the problem, then the category can be manipulated in the following way to search for all products :
1 | aaa' OR 1=1 -- - |
After URL encoding, it becomes:
1 | aaa'%20OR%201%3d1%20--%20- |
The sql query might be parsed as:
1 | SELECT * FROM products WHERE category = 'aaa' OR 1=1 -- -' AND released = 1 |
This successfully searches for all products (including those that haven't been released yet).
Lab: SQL injection vulnerability allowing login bypass
Description
This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.
Solution
Go directly to the login page and input the following to bypass the subsequent authentication (hypothesis):
1 | administrator' -- - |
The reason for not adding something like OR 1=1 -- - is that the task seems to be just selecting the administrator account, not retrieving everything.
After URL encoding, it becomes:
1 | administrator'%20--%20- |
Testing shows that it successfully logs in as administrator .
Lab: SQL injection attack, querying the database type and version on Oracle
Description
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
Hint
On Oracle databases, every SELECT statement must specify a table to select FROM . If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name.
There is a built-in table on Oracle called dual which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual
For more information, see our SQL injection cheat sheet.
Solution
The question hints that this is likely an Oracle database.
Again, we need to modify the URL suffix to achieve SQL injection. Before the injection, it should look like this:
1 | /filter?category=Pets |
The initially displayed result suggests that a few pieces of data, such as product titles and product content, are likely retrieved from the database. At this point, we can probably guess that the backend SQL command is fetching two columns. However, the actual number can be verified later.
Modify the category value, and this time use the UNION attack technique. First, guess the number of columns. Once the webpage retrieves the data normally, the correct number of columns should be confirmed. Below is the payload I tried:
1 | aaa' UNION SELECT 'a' FROM dual -- - |
Additionally, there's a detail worth noting here. I suspect that both the title and content are of string type, so when I perform the
UNIONattack, I use the same data type as well.
After testing, I found that the following payload achieved the expected result:
1 | aaa' UNION SELECT 'a', 'b' FROM dual -- - |
Using this method to read the BANNER information from v$version, this is the "database version string" mentioned in the question:
1 | aaa' UNION SELECT NULL, BANNER FROM v$version -- - |
v$versionandBANNERare considered some prerequisite knowledge. Before launching an attack, it's likely that you'll need some basic understanding of the database.
After URL encoding, it becomes:
1 | aaa'%20UNION%20SELECT%20NULL%2c%20BANNER%20FROM%20v%24version%20--%20- |
In practice, it successfully lists the version information.
Supplement: Oracle dual
dual is a special built-in table in Oracle databases used to perform simple queries that do not depend on other tables. It contains only one row and one column and is commonly used to return constant values, perform mathematical operations, test function results, or display the system date:
Return constants or strings: Used to return static values or constants from a query.
Perform operations and functions: Execute simple mathematical operations or
SQLfunction calculations without involving other tables.Retrieve system date and time: Can be used to return the current system date (
SYSDATE) or perform date formatting.
Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
This Lab is similar to Lab: SQL injection attack, querying the database type and version on Oracle . The goal is to determine the number of columns and then retrieve the version information. The question also hints that the database version might be MySQL or Microsoft.
Testing columns:
1 | aaa' UNION SELECT 'a' # |
From the test above, we can determine that there are two columns. Next, we can directly display the version information:
1 | aaa' UNION SELECT @@version, 'b' # |
After URL encoding, it becomes:
1 | aaa'%20UNION%20SELECT%20%40%40version%2c%20'b'%20%23 |
In practice, it successfully lists the version information.
