SQLi in WHERE clause
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Last updated
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Last updated
Lab contains a SQLi in the product category filter. When the user selects a category, the application carries out a query like the following: SELECT * FROM products WHERE category = 'Gifts' AND released = 1 To solve: Perform a SQLi that causes the application to display one/more unreleased products
By accessing the lab, we see a product page available with different categories and items.
Clicking on any of the 'categories' we see the parameter being used in the URL in the lab description and the image below.
Analyzing the challenge statement, we're already given the query happening in the backend
We can gather that categories = true and 1 = true
Since we know that category='subject' we can also gather that changing the subject might give us more information
Changing the value of category to ' breaks the application and shows an internal server error
This denotes the app is most likely vulnerable to a SQLi
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
select all the rows from the products table where the category column is gifts and released is 1
By changing the query /filter?category='-- we ask the application to ignore the column altogether
select * from products where category = '' or 1=1 and released =1
Select all the rows from the products table where the category is either equal to nothing or the conditional statement 1=1 will evaluate to true
Our payload is then ' or 1=1 --'
