So this is a basic SQL Injection Lab, in this lab, we are given an e-commerce store where multiple products are listed. All of the products listed here are “released” or unhidden if you say.
As most online stores this kind of logic to live or unlive the products based on the need, i.e., sales, and promotions.
Ok, these are the released products, what would you do if you were to list out the products that are not released, probably find the filter that is set by the store that distinguished the released products from unreleased products. Maybe that is the clue to the solution of this lab.
Let’s try to browse the store and let’s see if we can find any product that we might be interested in, just to understand the business logic of the store.
It’s a simple online store with different products listed, to refine the search, filters are available, and I’m gonna choose “Lifestyle”, it’s easier to type.
Products and categories keep on changing, so bear with me on the usage of different categories here.
For the category “pets”
here are a couple of products that are released under the filter “pets”.
Keep an eye on the URL and it changes every time with each category “filter?category=Pets”
and with each
Alright, enough of this window shopping. Let’s rob the store. Let’s try BurpSuite to see Behind the Scenes of the request.
we see this request
GET /filter?category=Pets HTTP/1.1 Host: 0a1000f703a53b3ac0f754a40004008d.web-security-academy.net Cookie: session=OyeyX3M7ZCg3zSfmcYWwPAHhvMcq5ZaK User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://0a1000f703a53b3ac0f754a40004008d.web-security-academy.net/filter?category=Pets Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Cache-Control: max-age=0 Te: trailers Connection: close
See the category is selected as Pets, maybe this is our entry point. You can experiment by changing the categories.
As the request has been captured by Burp, instead of making the request again and again on the browser, it’s easier to forward this request to the “Repeater” where you can keep on experimenting with the request, it’s much more convenient than the browser itself.
Let’s try to change the category to “unreleased”, with the universal SQL injection.
The SQL injection
OR 1=1 is a malicious code that is intended to manipulate the input of an SQL database query. When this query is appended to an original SQL query in an input field on a website, it results in the original query being altered to return all records from the database. This occurs because the
OR 1=1 part of the query changes the logic of the original query, causing it to always return true and retrieve all records from the database, bypassing any input validation and security measures that may be in place. The consequences of this vulnerability can range from unauthorized access to sensitive data, to complete compromise of the target database.
Tried this in different variations, but always got the “Protocol Error” page. Let’s try to modify it a bit further, sometime, back-end codes do not consider the spaces between the queries. So replace the spaces with + and try the below query
This SQL injection query +OR+1=1– is a malicious code that is intended to manipulate the input of an SQL database query. When this query is appended to an original SQL query in an input field on a website, it results in the original query being altered to return all records from the database. This occurs because the
+OR+1=1 part of the query changes the logic of the original query, causing it to return true for all records and the
-- comment symbol is used to comment out any additional SQL code that may follow, allowing the malicious query to bypass any input validation and security measures that may be in place. The consequences of this vulnerability can range from unauthorized access to sensitive data, to complete compromise of the target database.
Try this and hopefully, this will solve the lab.