SQL Injection/PortSwigger Web Security Labs
In order to learn web application security better and to keep my knowledge up to date, I started to solve the labs prepared by PortSwigger. As I solved the laboratories, I decided to share my solutions with you. I start with labs about SQL injection. I hope it will be useful for you too.
First of all, let’s start by answering the question of what is sql injection.
What is SQL Injection?
SQL Injection is a type of vulnerability that allows attackers to run their own sql queries on the database using web software. It usually allows an attacker to view data that they would not normally be able to access. This sensitive data; may contain data belonging to other users or other data that the application itself has access to.
Types of Sql Injections
1-In-band SQLi (Classic SQLi)
It is the most widely used and easiest to use type of SQL Injection attack. In-band SQL, occurs when the attacker can use the same communication channel to both launch the attack and collect results.
1.1.Error-based SQLi
This type of sql injection relies on error messages from the database server to obtain information about the structure of the database. It is a kind of in-band SQLi. Only error-based SQL injection may be sufficient for an attacker to enumerate the entire database. Bugs should be disabled on a live site or logged into a restricted access file instead. Otherwise, it will cause vulnerability due to the specified attack type.
1.2.Union-based SQLi
This type of ssql injection is used to combine the results of two or more SELECT queries with the UNION SQL operator into a single result returned as part of the HTTP response. It is a kind of in-band SQLi.
2-Inferential SQLi (Blind SQLi)
This sql injeciton variant from others, It is distinguished by the fact that it may take longer for an attacker to exploit. It is just as harmful as other varieties. In this attack, no data is transmitted through the web application and the attacker cannot see the result of an in-band attack. For this reason, it is called blind sql injection. In this attack, the attacker can reconstruct the database structure by sending payloads, observing the web application’s response and the behavior of the database server.
2.1.Boolean-based (content-based) Blind SQLi
Boolean-based SQL Injection is an inferential SQL Injection technique that forces the application to return a different result depending on whether the attacker sends an sql query to the database and the query returns a true or false result. It is a slow technique, especially in large databases. The attacker must enumerate the database character by character.
It allows the attacker to know whether the payload used was returned true or false, even if no data is returned from the database.
2.2.Time-based Blind SQLi
This attack is an inferential sql injection technique based on sending a sql query that forces the database to wait a certain amount of time before responding. The response time will inform the attacker whether the query result is true or false. Depending on the result, an HTTP response is returned with a delay or immediately.
As with Boolean-based Blind SQLi, the database must be enumerated character by character in this attack type. That’s why it runs slow on large databases.
3-Out-of-band SQLi
This type of injection is not very widely used as it mostly depends on the features enabled on the database server used by the web application. This attack occurs when the attacker cannot use the same channel to launch the attack and collect results. Out-of-band SQLi techniques rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker.
In short, after learning what sql injection is and what its types are, let’s start solving the lab via PortSwigger.
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Lab: https://0a7600790407edf2837dec7500ef003c.web-security-academy.net/
It seems that there is a SQL Injection vulnerability in the ‘category’ option when accessing the lab.When the user enters the website and clicks on one of the categories, the above sql query is running in the background. What is required in this lab is to list all the categories found on the web page.
First of all, the given sql query should be examined:
Bring the “Corporate Gifts” information in the “category” column from the “products” table in the website’s database. After the sql query is resolved, the lab is accessed by clicking “Access the lab”. Then the following interface will appear.
When the website is examined, it is seen that it is an e-commerce site. Click on a random category to reach the solution of the lab.
In this category, it is tested whether there is a sql injection vulnerability.
If the sql query running in the background can be intervened, it is possible to talk about sql injection vulnerability. By placing a ‘ sign at the end of the website link, it is checked whether the database can be tampered with. As a result of the operation, a server-side error code is seen. Operations are continued in order to test whether the SQL query has been interfered with. Parts that come after the sql query should be disabled. After that, the sql injection vulnerability should be detected using a comment line tag. A vulnerability was observed using the — tag.
As a result of this process, it was seen that a new product was added to the website. Thus, it has been proven that this website has a sql injection vulnerability. After the vulnerability is detected, the lab focuses on the desired solution. What is desired in the lab is to list the products in the other category on the same page while the category is selected.
The sql query must be re-examined in order to perform the desired operation here. The sql query given at the beginning and the manipulated query should be compared.
SELECT * FROM products WHERE category = ‘Corporate+Gifts’ AND released = 1
SELECT * FROM products WHERE category = ‘Corporate+Gifts’’- - AND released = 1
When these sql queries are examined, it is thought that more than one category can be listed by writing a conditional query.
SELECT * FROM products WHERE category = ‘Corporate+Gifts’’+OR+1=1- -AND released = 1
The working logic of this query is as follows: Bring up the Corporate Gifts category. While doing this, also do 1=1.While doing this, if a “True” value is produced with the OR operator, continue checking. If the result of 1=1 operation is “True”, check if there is a value called “Corporate Gifts” in the “Category” columns. If not, it is sufficient to return the other value to True thanks to the OR operator.
As can be seen, the lab has been successfully completed. Multiple categories are listed on the same page.
I hope you enjoyed reading it. Don’t forget to stay tuned for the next lab solution. Hope to see you in the next article :)
