Introduction
Hello, friends! How are you all doing? So, this is our 14th article on SQL Injection vulnerabilities. In this article, we will cover the PortSwigger Web Security lab on “SQL injection with filter bypass via XML encoding,” step by step with practical examples.
Lab Description
This lab focuses on SQL injection vulnerabilities in the stock feature. The result of the query we perform is returned in the application’s response. Based on this, we can perform a UNION attack to retrieve data from tables. In the database, there is a table called “users” that contains registered users’ usernames and passwords. To solve the lab, you need to perform an SQL injection attack, retrieve the data, and log in to the lab using the administrator’s account.
Remember: In this lab, there is a WAF security (firewall) that can detect your attack. Therefore, you need to obfuscate your payload using the Hackvertor extension. This will make your payload undetectable. You can find this extension in the Burp Suite store.
Lab Solution
First, access the lab. After accessing the lab, click on any product.
Click on “View product details” for any product.
After that, use the “Check stock” feature by clicking on it. Remember to enable your Burp proxy to save the traffic in the HTTP history.
You can intercept the “Check stock” feature directly or send it to the repeater.
The “Store ID” field contains an SQL injection vulnerability, but the server is blocking my attack.
Go to the Extender tab and install the extension.
After installing the extension, mark your payload from (1 UNION SELECT NULL) from start to end and encode it. Choose “hex_entities” for encoding.
Your encoded form will look something like this:
<@hex_entities>1 UNION SELECT NULL<@/hex_entities>
As you can see, I am finding columns, and I see “1” on the first null value, which means there is one column here. Let’s add another null value.
Now, “0” is showing as “UNITS.” This means there is only one column here, and we need to exploit this column.
We already know that there is a table called “users” that contains usernames and passwords. Let’s create an SQL injection query for it.
<storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>
So, I have obtained the credentials. Now, let’s log in with the administrator account.
I have successfully logged in as an administrator. The administrator’s username is “administrator,” and the password is “zq5lccv2s56v8uk2fasg.” Thus, we have solved the PortSwigger Web Security lab on “SQL injection with filter bypass via XML encoding.”
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
Now you have officially completed all the labs for SQL Injection, Now you have to move towards the Authentication Vulnerabilities Labs Start from Here : Username Enumeration Via Different Responses. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
