SQL injection with filter bypass via XML encoding
https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding
Last updated
https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding
Last updated
This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables.
The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user's credentials, then log in to their account.
Click to one of products shop: https://0a5b002b0394c64382a61f0e00eb00c9.web-security-academy.net/product?productId=1
Analyzing HTTP request of this request with BurpSuite there're not XML, so this is the wrong via.
See well the page, there's a form with a method POST that permits to display the stock value of relative product in three various store place.
Capturing it, we can see the XML that we're searching!
We can start trying to injecting this payload: 1 UNION SELECT NULL for understand if the print of 'NULL' value will be executed
WAF identify a malicious payload, so we can try to encode our payload using tools
Install HackVector (Optional), we can use other web tools
Encoding the payload to HEX_EntitIes: 1 <@hex_entities>UNION SELECT NULL
</@hex_entities> we're able to evade WAF and obtain 'NULL' as result:
So, adding a new one 'NULL' value we can see that the 2nd new column doesn't exists, than the table's column are only one,
remembering the task there're not problem "The database contains a users table, which contains the usernames and passwords of registered users. ", column requested are two, we can ovviate to this thing concatening the two parameters:
1 <@hex_entities>UNION SELECT username || '~' || password FROM USERS </@hex_entities>
and obtaining credentials for login and complete the lab.
