Skip to main content

🗂️PortSwigger Lab Writeup: SQL Injection Vulnerability in WHERE clause Allowing Retrieval of Hidden Data

PortSwigger lab description page for SQL Injection – Exploitng WHERE clause

🎯 Objective

The objective of this lab is to exploit a SQL injection vulnerability in a web application where the application executes a SQL query with user-supplied input in unsafe way to filter the products as well as show only released products and our goal is to view all the hidden(unreleased) products through SQL injection.

💉 Payloads Used

  • Payload 1(showed only hidden Gifts products) - ❌
Gifts'--
  • Payload 2(showed all hidden products) - ✅
Gifts' or 1=1--

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. SQLi lab instance showing vulnerable shopping site
  • At first glance, the website seems to be a shopping website with an option to filter products on different categories. In the lab description, it is mentioned that the vulnerability is in the filter parameter which is being used directly in a SQL query.

🔍Step 2: Find the Vulnerable Endpoint

  • Click on any one of the filter to see how website behaves and where the filter parameter is passed to server. Browser address bar showing URL with filter parameter in category query string
  • Here, the site filters the products by supplying the category name in URL - /filter?category=...

🚀Step 3: Inject the Payload

  • Based on the provided SQL query in the lab description, we can inject the '-- along with the category name which will comment out the remaining SQL query -AND released = 1
  • Hence, we try our payload - Gifts'-- which when executed will result in a query - SELECT * FROM products WHERE category = 'Gifts'-- allowing us to view both released and unreleased products. Products displayed after injecting Gifts'-- showing unreleased gifts but lab not solved
  • Hence, the payload worked and showed us the hidden product but still the lab was not solved because our task was to view all the hidden products of all type of categories instead of a specific one.
  • Therefore, we try another payload - Gifts' or 1=1-- which when executed will result in a query - SELECT * FROM products WHERE category = 'Gifts' or 1=1-- allowing us to view all hidden products.
  • The above query will always result in True for WHERE clause, resulting in to show all the products without any condition. Full list of hidden and released products shown after injecting Gifts' or 1=1--, solving the lab
  • And💥Booom!, We got to see all the hidden products.
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab involves a very basic case of SQL injection vulnerability, where the category parameter is used to filter products where the application directly concatenates the user-supplied category in the SQL query to fetch only the relevant products and also currently released to the public.
  • Since the application neither validates the user-input nor uses prepared statement, an attacker can manipulate the SQL query by injecting any arbitrary SQL commands to gain full access of the database.
  • By injecting ' or 1=1-- in the category parameter, we are able to manipulate the SQL query and view the hidden products.

🧾 Related CWEs

CWE IDTitleDescription
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Application fails to properly sanitize user input before using it in SQL queries.
CWE-20Improper Input ValidationThe app does not validate user input properly, allowing malicious input to influence behavior.
CWE-713Owning Dangerous Functionality Without Adequate Security ControlsSQL capabilities are exposed without secure controls.
CWE-116Improper Encoding or Escaping of OutputFailure to safely encode input before inserting it into SQL queries.