SQL Post/Search Injection on bWAPP

Cambria Kinkelaar
2 min readMar 27, 2024

--

In this post, I will be exploiting the SQL Injection (Post/Search) section on the Buggy Web Application. This instance of bWAPP was hosted on an Docker container on an Ubuntu VM and will be exploited from a different Kali Linux VM. This aspect of bWAPP will be exploited on the low setting.

Upon selecting the SQL Injection (Post/Search) setting, this is what the user will see.

The Post/Search site on bWAPP

This exploit will be extremely similar to that of the Get/Search SQL injection. The difference here is that the payload now must be injected into the text box, rather than the URL. To exploit this, I will enter a movie into text box, followed by the payload.

The payload that will be used is shown below.

Payload that will display the operating system of the web server

When the movie name followed by the payload is entered into the text box, the following is displayed.

The web page after entering the SQL injection

As shown above, the operating system of the web server is displayed at the bottom of the page. This means that the SQL Post/Search injection was a success.

--

--

No responses yet