SQL Injection 1 (APPRENTICE)

Lab 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data.

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following: SELECT * FROM products WHERE category = 'Gifts' AND released = 1. To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

Solution

1.Step 1: The first step you need to click the orange button that says "Access the Lab" on the home page.

2. Step 2: Next you will direct to the website, as you can see this is a shopping app and you can customize what you see based on categories, for example just click the accessories category (the application runs an SQL query like this: S****ELECT * FROM products WHERE category = 'Accessories' AND released = 1. SELECT * FROM products (to retrieve all columns from the products table), WHERE category = 'Accessories' (is a filter only Accessories category products), AND released = 1 (AND only those that have been released, released = 1). Which means that products with released = 0 (not released yet) are hidden from normal users, and the task is to bypass this condition.

To identify the injections point, you need to pay attention to the URL when you click on a category in the website, that look like this "https://0aa500a8041959b1801b0d6900980037.web-security-academy.net/filter?category=Accessories" (the category Accessories parameter is what goes directly into the SQL query, this is the attack surface).

You need to enter the single quote character (') as the category value in the URL: https://0aa500a8041959b1801b0d6900980037.web-security-academy.net/filter?__category=' then in the database the query that is formed becomes S****ELECT * FROM products WHERE category = ' ' ' AND released = 1. If you notice there are three quotation marks, the first one is from application (opening), the second one is from our input, and then last is from application (closing). This makes the SQL syntax invalid because the quotation marks are not paired correctly (Just like in the image, the result is an internet server error).

But that error is actually a good sign, because it proves that the application does not sanitize user input, our input is sent directly to the database without any filter, and the application displays an error instead of handling it safely (a secure application should return a generic error page not an internal server error that confirms there is a problem with the query).

3. Step 3: After confirming the vulnerability, you should try to break down the rest of the query using SQL comments, Enter: https://0aa500a8041959b1801b0d6900980037.web-security-academy.net/filter?__category='-- then in the database the query that is formed becomes S****ELECT * FROM products WHERE category = ' '-- ' AND released = 1. In SQL (--) is a comment marker, that all the text after the (--) is will be ignored by the database. So the query that is actually executed is simply S****ELECT * FROM products WHERE category = ' ' .

Then the page result appears without error, but no products are displayed (you can see from the image below), There is only a category navbar without a product listings.

4. Step 4: You need to enter the main payload, which is https://0aa500a8041959b1801b0d6900980037.web-security-academy.net/filter?__category=' OR 1=1-- (' to close the open category string in the app, OR 1=1 to add an OR condition that is always TRUE, -- to comment out all remaining queries afterward). The complete query formed is S****ELECT * FROM products WHERE category = ' ' or 1=1 --' AND released = 1. But after the --, the rest of it will be ignored, the the effective query that is executed is S****ELECT * FROM products WHERE category = ' ' or 1=1 .

OR 1=1 is so powerful because in SQL logic WHERE will return rows if the condition is TRUE, because using OR if one conditions is TRUE all the conditions are TRUE, the result is all rows in the products table are returned no matter what category, no matter whether released = 1 or released = 0. This query is essentially the same as S****ELECT * FROM products -- (without any filters).

5. Step 5: Congratulations the lab is solved.