SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/sql-injection-apprentice/sql-injection/lab-retrieve-hidden-data

PreviousSQL injection NextSQL injection vulnerability allowing login bypass

Last updated 17 days ago

SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/sql-injection-apprentice/sql-injection/lab-retrieve-hidden-data

Description

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

Solution

There're some products filtered into categories: All, clothing, gift, etc..

Clicking on one of them (eg. Gift) we can see that there's direct referrement to a value: category=Gifts it is a signal that it should be injectable

Adding this payload: ' OR 1=1 -- we can comment the last part of query and display all results solving the lab:

PreviousSQL injection NextSQL injection vulnerability allowing login bypass

Last updated 17 days ago