SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

Starting today, I’ll be posting all the PortSwigger labs — but not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let's Start:

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

What is SQL?

SQL (Structured Query Language) is used to query and manage data in a database. It enables web applications to communicate with database software to retrieve or store information efficiently.

What is a Database?

A database is a structured collection of data stored by a website. It can include all kinds of application-related information such as user details, messages, posts, comments, etc..

Now we know what SQL is and what a database is, but what exactly is SQLi (SQL Injection)?

SQLi (SQL Injection)

SQL Injection is a code injection technique used to attack data-driven applications, where malicious SQL statements are inserted into an input field for execution (e.g., to dump the database contents to the attacker).

Let me tell you the basic commands that you’ll often use in SQL Injection, and that we’ll be using here as well.

SELECT: Used to retrieve data from a database (SELECT name FROM rayofhope)
FROM: Specifies the table from which to retrieve data (SELECT name FROM rayofhope)
WHERE Clause: Filters records that fulfill a specified condition (SELECT * FROM rayofhope WHERE id = ‘1’)
AND / OR (Operators): Used to combine multiple conditions (SELECT * FROM rayofhope WHERE username = ‘arayofhope’ OR ‘1’=’1')
ORDER BY: Used to sort results, but in SQLi, it’s used to determine the number of columns (SELECT * FROM rayofhope ORDER BY 3) — Here, we will find out whether the table ‘rayofhope’ has 3 columns or not.
UNION: Combines results of two or more SELECT statements used in Union-based SQL injection (SELECT username, password FROM rayofhope
UNION SELECT null, version())

Well, well, well — there are more commands out there, but for now, these are the most common ones we’ll be using.

This is how the application looks.

Let’s see if we can find any parameters in it, and we do have one: the parameter category With the value accessories.

I changed the value to 1, and we can see it is Projecting, which means it could be vulnerable to SQL Injection.

Let’s intercept the request and send it to the Repeater.

Here’s what the response looks like.

Used a double quote (") and it returned a 200 OK response.

Used a single quote ('), and it returned a 500 Internal Server Error.

We are getting a 200 OK response with any number or input, but when we use a single quote ('), it throws an error. This means the developer has used single quotes in the SQL query, and since the single quote breaks the query, we can try to exploit it further.

I used 1' ORDER BY 10--+ and it threw an Internal Server Error, which means the table doesn't have 10 columns. I used1' ORDER BY 8--+it to return a 200 OK response, which means the application has 8 columns.

Now, our goal is to find one or more unreleased products. We used ' OR 1=1--, where 1=1 is always true, and the single quote (') breaks the original query. As a result, we were able to solve the lab using SQL Injection.