This video demonstrates how to manually and programmatically exploit a SQL injection vulnerability in a product category filter to retrieve unreleased products. It emphasizes the practical application of SQL injection theory through a hands-on lab exercise.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
hi everyone welcome back to another
video in the web security academy series
in the previous video we described the
theory behind sql injection attacks so
we covered what a sql injection is the
different types of sql injection
how they detect and exploit them and
then we ended the video with how to
prevent them i've added the link to the
previous video in the description if you
want to check it out
in today's video we'll be covering lab
number one of the sql injection module
in the web security academy if you do
not have an
account you can get one by visiting the
url portsweger.net
web security and clicking on the sign up
button now i already have an account
and i am logged in so to access the academy
academy
i'm going to click on academy
scroll down and select the
learning path this is the path that
portswigger recommends you follow when
learning about the topics
that the academy covers and this is the
path that we'll be following in our
videos so go down and select the first
option which is sql injection
we've already covered the theory portion
in the last video so we won't be
covering it again
in this video instead we'll jump right
ahead to the first lab
which is titled sql injection vulnerability
vulnerability
in the where clause allowing retrieval
now the way that the academy is
structured is it gives you a description
of the exercise it wants you to complete
and the vulnerability that it wants you
to exploit it also gives you the
solution we're not
going to look at that because we're
going to try to solve the solution on
our own
and then it gives you access to the lab environment
environment
to run the exploit
before we go ahead and look at the
apple at the vulnerable application
notice that i have a
text document on the right and the
reason i keep one is because i'm trying to
to
train myself to always keep notes when
it comes to pen testing engagements and
so we'll be doing that
in the videos as well
so let's look at the description this
lab contains a sql injection vulnerability
vulnerability
in the product category filter so that's important
important
sql injection vulnerability and it's in the
the
when the user selects a category the
application carries out a sql query like
the following
so it actually gives us the back-end sql
query that
gets executed which is great because we
know the structure of the query that
means we know
um how to automatically build our sql payload
payload
and we'll see that in a bit um and then
to solve the lab perform a sql injection
attack that causes the application to
display details of all
products in any category both released and
and
is to display all products regardless of
their category
uh both released
so what's likely happening is that the
application displays the release
products to the user however there are
unreleased products that are not
displayed to the public
and what we're going to try to do is
exploit the sql injection vulnerability
and display the unreleased products
so let's click on the link over here
shopping application and you could refine
refine
what you see depending on category so
there is one two three
four one two three three times four so
12 products that you could buy however
if you refine your search to for example
just spats
um it'll display three products which are
are
somehow related to paths
you'll see that the category that you selected
selected
gets populated in a parameter in the url called
called
category so this is the
the category filter that has a sql
injection vulnerability so this is the
one that we need to exploit
now you might be wondering well in a
real pen testing engagement you're not
given which parameter is exploitable so
how would you know and the answer would be
be
to follow the general methodology that
you would when you're pen testing
applications so the first thing that you
would do
would be to map the application and what
that means
is uh visit the application and learn
how it works learn the logic in the application
application
uh find out all the different endpoints
in the application
find out all the different input vectors
that could potentially talk to the back end
end
of the application and when you do that
you'll discover the
category field so that is an input
vector that talks to the backend because depending
depending
on the value that you give it it'll
display different results
um and then once you've discovered this
field it's just a matter of fuzzing
so if you think it's talking to a
back-end sql database then you'll
enter sql characters that could
potentially break the back-end query
and this way uh if if it breaks the
back-end query then depending on how the application
application
is configured um and how it's uh coded
it could give you different response
codes it could give you different
responses of the application it could
give you errors and so on and then
depending on the response
you could infer the fact that it might
be vulnerable to a sql injection
and then once you've detected the fact
that it might be vulnerable to a sql
injection it's a matter of giving the application
application
iteratively different payload until you've
you've
figured out at least approximately how
the sql query works at the back end and
then this way you could
build your payload and successfully
exploit the sql injection now since this
is a beginner video
we're already given the sql injection
sorry the sql query that is happening at
the backend but even if you're not this
is easy
to figure out depending on how you fuzz
the application
so um what's happening over here
let's have an analysis
section when you
entered paths what's happening is it puts
puts
pets in the category field and it runs
this query and what this query does is
it says
select all the rows from the products table
table
where the category column is equal to paths
paths
and the released column is equal to one
so what it'll show you
is um is all the products that are in
the category pets but also they have
to be products that have been released
so if released was equal to for example zero
zero
then you wouldn't see the product over
here because it's not released to the public
public
so now um remember when i said fuzzing
let's try
a common sql character that if the
application doesn't properly
uh validate user input and doesn't use
parameterized queries then
um then chances are it is vulnerable to
sql injection and a way to
detect that is to add sql characters
that might break the
query and one of the most used ones is the
the
uh the quote character or the double
quote character so let's try that and
see what happens
okay so we get an internal server so
right away i'm thinking this is
vulnerable to a sql injection
and the reason i think that way is
because what's happening
instead of having pets over here we
entered a single
quote and so it broke the application
because the way it
sees it is select um all the rows from
the products table where the category
field is equal to
nothing so this quote over here that we
added closed
uh the other quote for the category field
field
and then all of a sudden it has a single
quote that likely
uh resulted in a syntax error which resulted
resulted
in an error in the web server and
internal server error in the web server
and so we broke
the application so this is an indication
that it's vulnerable to sql injection we
don't know
yet that it is so let's try to build a
sql injection payload
and to do that we i need the application
to respond
properly instead of responding with an
error so what i'm gonna do
is this quote over here that i added it
closes this quote over here
and so i'm gonna add the comment field
in order to tell it to ignore the
rest of the query and this way it won't run
run
into this single quote and it won't
generate an
error so let's put that payload
and before i run it what's what what
needs what would happen at the back end
right now
is it'll literally just run this query
over here
so select all rows from the products
table where the category is equal to
nothing and then because this is a
comment field it'll
ignore the rest of the query and this is
the valid query so it shouldn't give me an
an
error let's run it and here we go so we
don't get an error we also don't get any
search results because the category
field is set to
nothing so it works now i'm
confident that it is vulnerable to a
sequel injection vulnerability
and so the next thing to do is to
try to solve the exercise so we said the
end goal of the exercise is to display
all the products both released and unreleased
unreleased
um so let's copy our
query again and try to solve this exercise
exercise
okay so um i needed to display
all the products so i'm going to add an r
r
one is equal to one so a conditional
statement so what this will do
is it will say select all the rows from
the products table
where category is equal to where either
category is equal to
nothing or the conditional statement one
is equal to one
evaluates to true now one is equal to
one will always evaluate to true
and so um it will display
all the rows in the products table so
let's try that out
this is our query over here sorry our
and hit enter and here we go it says
congratulations you've solved the lab if
we go
down you can see that we can see one two three
three
four one two three four five so that's
five times four
twenty entries whereas before we were
only able to see
twelve um
and just select gifts for example sorry
we select
all these are the entries that we could
normally see
so safety first folding gadgets and so
on but then when we exploited the vulnerability
vulnerability
we're able to see much more vulnerable
much more products
i believe uh roulette drinking game was
not one of them and so on
um anyways so we've successfully exploited
exploited
the sql injection vulnerability manually
now let's try
okay so if you haven't watched my
introductory video
on this the reason i i script the attacks
attacks
is because in your pen testing career
you will run into
scenarios where doing things manually is
not going to cut it and it's a bit unrealistic
unrealistic
and so as a way of training myself
i i script all my attacks and this way
when i do come across
a vulnerability that requires scripting
like a blind sql injection vulnerability
which we'll do in the future i already
know how to do it
and my language of choice is python
so the first thing that i do is
import the requests library
this will allow you to make http
requests and will be your best friend
when it comes to
application pen testing and next i'll
import the sys library and
the url lib3 library
what i also do is i usually
uh set the proxy setting in all my
scripts most people don't do that and i
don't understand
why because it's a great way of
debugging why your
script doesn't work and i'll show you
set it for 8080 and then
and so what that will do is whenever the
script runs it'll pass it through
my proxy uh which is burp i'll show you
that in a second
and then if i allow it in the bird proxy
to relay it back to the web server it'll
do that and then any response from the
web server
will get passed through my proxy again
and then back to the
application so it's a great way of
debugging uh
scripts and we'll do that in a second
and then next
i've got all my configuration settings ready
ready
now let's create the main method
i'm going to have a conditional
okay so the way that i want the script
to work is when i run it
i give it two command line parameters
one is the url of the application
into the payload that i want to so the
sql injection payload that i want to
use and so it takes in two parameters uh
now if
it if it doesn't find these two
parameters or you don't enter the
correct number of parameters or so on
it'll throw an
exception and when it does that i want
it to display a nice error instead of the
the
exception code so let's start out with the
the
with the try um with a try condition
so url is equal to the first argument
and then the second argument would be
and we have an error over here okay
now if you run into an exception then i
wanted to
print the usage instructions
so the name of the program
and then i also wanted to give me an example
example
it just this way the code is a little
bit cleaner
and the url is www.example.com
and let's say the payload is 1 is equal to
to
1. now because i'm using it as a string
over here
i need to convert this into single
quotes so that it doesn't interfere with it
it
program
and then exit the program since we ran into
into
okay awesome all right so
if um if you gave it the correct command
line arguments it'll set the first one
to the url parameter and it'll set the
second command line argument to the payload
payload
if you didn't give it the correct number
of command line arguments it'll
print these statements over here what
we're gonna do is we're just gonna run it
it
python3 sqlib01.py
and here we go so because i didn't give
it the correct number of
arguments um it printed the usage instructions
instructions
and an example of how to run the program okay
okay
up next i want to create a function that
if it evaluates to true
that means i have a sql injection and if
it evaluates to false that means
my sql injection exploiting the sql injection
injection
was not successful so it takes in the
and if it evaluates to true then it's
going to print
however if it evaluates to false it's
okay awesome now the next step is to
create the function itself
now before we fill out um what the
function does
so it does nothing right now uh we need
to learn more about the request that is
happening when we
click on a category to do that we're
going to use our
favorite proxy tool which is burp suite
and if you don't know how to use this
tool it's definitely worth investing the
time to use it because i don't know
anyone who works in the web app pen
testing field that
and i'm using the community edition so
you don't have to buy the
professional edition to do this okay
so a bit of background on what this tool does
does
is uh if you configure it what it can do
is it sits as a middleman between the
application and your browser and so when
i click
on anything in the browser and it makes
a request it'll send it first to my proxy
proxy
which is burp and then it'll send it to
the web server
and then when a response comes back from
the web server it'll pass it through my
proxy again and then through the web server
server
and uh the reason this is nice is
because um
this way you could manipulate the
request before it uh goes back to the
web server uh you'll see it
happen with things like client-side
validation and so on but also you get to see
see
exactly what is happening in the request
which you can
technically see in the browser if you
look at developer tools but just so much
easier to use a proxy for it
now i already have the proxy set at a localhost
localhost
8080 and that is why in the script
you'll see over here that i set it a
localhost 8080. i also need to configure
my browser to
use it and so i use foxyproxy which is a
great extension that allows you to
enter a bunch of proxy settings and then
you select which one you're using
i have burp over here i'm going to click
on options and show you how it's set
so again i've got it set at localhost
and then port 8080.
now you could do that from the proxy
settings of the browser but
it just toggling it on and off becomes
becomes unrealistic to go back to your
settings every time and so it's so much
easier to just
turn it off and turn it on whenever you
want so let's see if this is still
working you could see over here that it
intercepted the request so it hasn't
sent it back to the web server yet
instead it intercepted it and it tells
me that this is a get request
and i'm requesting product id three now
i'm gonna forward the request
and it timed out in the reasons because
we haven't touched this application in a
bit while we were
scripting and so we just need to load it
one more time
let's do that and i'm going to turn the
proxy off so that it doesn't intercept
every single request and you'll see over
here that there are so many
requests that are happening um and it'll
log all of them
in the http history tab
and i usually like to filter on the most
recent request
so you see over here that's something
that you didn't see in the browser
itself that it's calling js scripts it's
calling images and so on
okay so i want to intercept what happens
when i select
here we go and i'm going to send it to repeater
repeater
it's a get request and this is the uri
that it's using
so what we're going to do is we're going
to turn the proxy off
we don't need it anymore go back to repeater
repeater
and we'll use this to build our code
okay so let's remove that does nothing
and then put uri is equal to
filter categories equal to
and then we'll make a get request
request request.get and that would be
the url plus the uri plus the payload
so what this will do is it'll take the
blahblahblah.wapsecurity.net or dot com
whatever it was and then it'll
concatenate the uri to it
and then it'll also can candidate the
poi load after the
equal sign i'm going to set verify to be
equal to
false and proxies
okay and then i want a way to figure out
if the application if if we successfully
exploited the vulnerability and one way
to do that
is if we check if the response code
has um has an item so an
unreleased item that is not normally viewable
viewable
by the public and so we're going to go
back over here
and look at all so these are all the
items that
are available to the public
now let's look at the items that are not
to do that this is our sql injection
so i believe if i'm not wrong uh
the cat grin product was not there
before so let's go back
yeah it wasn't there before so we could
filter out
on that payload itself let's do that again
okay so let's say if
the string cat grin is in the response code
code
r.text then return true that means we've
successfully exploited the sql injection
vulnerability because we can see an item
that we're not supposed to see
um as a regular user
otherwise return false which means that
the sql injection vulnerability filled
so let's compile this see if there's any errors
there are errors and over here save that
run it again
okay awesome it looks like there's no
errors it's clear
okay so let's run
our program lab 3
and then we give it the url which is
and then the sql injection vulnerability
which is right over here and this is why
it's good to keep notes
okay and let's run it see if it was successful
successful
now first of all it is successful which
is great but
notice that we do get an error over here
and to do that it's url lib3
dot disable warnings
url lib3
dot exceptions dot insecure
request warning okay
so now it shouldn't display this error
okay perfect let's clear this and run it
again all right
so what this does is we're calling the
program we're giving it the url to the
application and we're giving it a sql payload
payload
and so it builds um it built the request
for us
it runs it and then if it sees the product
product
category um it will uh
return true which will print out sql
injection is successful
if it doesn't see that product that
means we we didn't display any on release
release
products and therefore it'll return
false and uh
run and print the command sql injection
unsuccessful so this is a true case
in this case it is successful now if we
run it again but with
i don't know just a single quote which
should just display an internal server
error it should say sql injection
unsuccessful okay perfect so
we've successfully completed the
exercise to recap
in this video we first manually
exploited a sql flaw in the category
filter field
of the application this allowed us to
view products that have not yet been
released to the public
uh we then scripted that exploit so that
it automatically does that for us
i'll add the link to the exploiting
github in the description
of the video if you liked the video hit
the subscribe and share button so that
it reaches a wider audience
also comment below what you learned in
the video and what you would like to see
more of in the future see you in the
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
