Level 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Objective
This lab contains a SQL injection vulnerability in the product category filter. When a user selects a category, the application performs a SQL query similar to:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
Explanation
The application dynamically builds SQL queries based on user input without proper sanitization. This creates an opportunity to inject malicious SQL code into the category parameter. By altering the query logic, we can bypass the intended filter that limits results to only released products and retrieve hidden (unreleased) entries from the database.
Resolution
Acess any product category from the main page.
Observe the URL structure, which includes a query parameter:
/filter?category=AccessoriesReplace the
Accessoriesvalue with the following SQL payload:
' OR 1=1-- -The full URL becomes:
/filter?category=' OR 1=1-- -This injection modifies the query as follows:
SELECT * FROM products WHERE category = '' OR 1=1-- -' AND released = 1The -- - sequence comments out the remainder of the query, effectively bypassing the category filter. Since 1=1 is always true, all released and unreleased products are displayed.
If the application reveals at least one unreleased product, the lab is solved.
Mitigation
To prevent SQL injection vulnerabilities like this, applications should:
Use parameterized queries (prepared statements) instead of dynamically constructing SQL with user input.
Implement server-side input validation and sanitization.
Apply the principle of least privilege to database accounts.
Monitor logs for unexpected SQL behavior or anomalies.
Last updated