I have been off from blogging for a while, this is because I partially stopped learning these stuffs. Now I thought I will begin again from the start as I found a new and Interesting website.Come join me as I walk though the tutorial provided by Portswigger .
First we have to make an account, then go to the learn tab.There they provides
- XML external entity (XXE) injection
- SQL injection
- Cross-site scripting (XSS)
- OS command injection
- File path traversal (directory traversal)
They are improving the courses.So lets start with sql injection.
They have given a detailed material about it, even a video tutorial is provided
What is SQL injection?
It is a web vulnerability which allows an attacker to use SQL commands to retrieve unauthenticated data , Get admin privilege and other harmful acts.
While we move along,There are vulnerability labs for testing what we have learned which is a very good feature.In blog lets try the first lab of SQLi.
Retrieving hidden data
It says there is a shopping application which displays products in different categories. When the user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make an SQL query to retrieve details of the relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:
- all details (*)
- from the products table
- where the category is Gifts
- and released is 1.
The restriction released = 1 is being used to hide products that are not released. For unreleased products, presumably released = 0.
The application doesn't implement any defenses against SQL injection attacks, so an attacker can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment. This effectively removes the remainder of the query, so it no longer includes AND released = 1. This means that all products are displayed, including unreleased products.
Going further, an attacker can cause the application to display all the products in any category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
The modified query will return all items where either the category is Gifts, or 1 is equal to 1. Since 1=1 is always true, the query will return all items.
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.
now click the access the lab button.
You will be redirected to some other site which is vulnerable to SQLi as they mention.
So we see there are search tags, click one of it ,I clicked "Accessories"
now check the url it changed from
to
So, add a ' on the end.
Gives some error.
then try adding ' or '1'='1'-- as they taught
SOLVED.
Reference:Portswigger
Jumia Ngan, India | JUMIA Ngan, India | Jumia Ngan
ReplyDeletejumia ngan online 경상북도 출장마사지 casino online india india 제주도 출장마사지 india india india india india 강원도 출장샵 india india india india 나주 출장마사지 india india india india india india india india india india india india india india india india india india india india india 나주 출장샵