Documentation: SQL Injection

Vulnerability Allowing Login

Bypass
Objective
Exploit a SQL injection vulnerability in the login function to authenticate as the
administrator user.

Steps to Solve

1. Preparation
1. Access the Lab:

Open the lab URL in your web browser.

This will present a login page with a username and password field.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 1

 2. Analyze the Login Request
1. Enter Dummy Credentials:

In the login form, input any placeholder values like:

Username: administrator

Password: admin

Documentation: SQL Injection Vulnerability Allowing Login Bypass 2

 2. Capture the Request in Burp:

Submit the login form.

Burp Suite will intercept the HTTP request.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 3

 send it To Repeater and analyze the Request body

intercept the Request Parameters by adding ‘ at the end of parameter to check

SQL injection option

if it gives Server error in Response then it is vulnerable for SQL injection .

Documentation: SQL Injection Vulnerability Allowing Login Bypass 4

 After checking it now use a SQL Query attack to login as adminstrator

modify the administrator parameter in username option in Request Body :

now after modifying the username parameter send Request

note Cookie session in the Response and copy it

go back to Browser and inspect the login page

go to cookie options and paste the cookie in it and Click on my Account option

Documentation: SQL Injection Vulnerability Allowing Login Bypass 5

 you will login as administrator and Lab solved …

Lab - SQL Injection Vulnerability in WHERE Clause Allowing

Retrieval of Hidden Data

Objective
Exploit a SQL injection vulnerability in the product category filter to retrieve
unreleased products.

1. Preparation
1. Access the Lab:

Open the lab URL in your browser.

Browse to the page containing the product category filter.

2. Set Up Burp Suite:

Launch Burp Suite.

Configure your browser to route traffic through Burp.

Analyze the Filter Request

1. Select a Category:

Choose any category from the filter (e.g., Gifts).

Observe the application reloads or updates the product list.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 6

 2. Capture the Request in Burp:

Submit the filter request.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 7

 Burp Suite will intercept the HTTP request.

send it to Repeater

intercept the Request Parameters by adding ‘ at the end of parameter to check

SQL injection option

if it gives Server error in Response then it is vulnerable for SQL injection .

After checking for the SQL injection now use SQL injection Query to show hidden
data from database .

‘ OR 1=1- -

Documentation: SQL Injection Vulnerability Allowing Login Bypass 8

 after entering this payload send Request and check Response and
open it in a browser and it will display hidden data and

Lab Solved !!

Documentation: SQL Injection Vulnerability Allowing Login Bypass 9

 Lab - SQL Injection UNION Attack to Determine Number of
Columns

Objective
Perform a SQL injection UNION attack to determine the number of columns in the
query by injecting null values. This is a foundational step to retrieve data from
other tables in subsequent labs.

. Preparation
1. Access the Lab:

Open the lab URL in your browser.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 10

 Browse to the page containing the product category filter.

2. Set Up Burp Suite:

Launch Burp Suite.

Configure your browser to route traffic through Burp.

2. Analyze the Filter Request

1. Select a Category:

Choose any category from the filter (e.g., Gifts).

Observe the application reloads or updates the product list.

Capture the Request in Burp:

Submit the filter request.

Burp Suite will intercept the HTTP request.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 11

 send it to Repeater

in Repeater note Request body closely and add ‘ (single qutation mark) at the end
of
Request Search Parameter and send Request and note the Response to Check it
for SQL injection .

Documentation: SQL Injection Vulnerability Allowing Login Bypass 12

 Perform SQL Injection to Determine Column Count:
add SQL Query : ‘ ORDER BY 1- - to find out Columns in Table

, note : increase 1 until it shows Error in Response

we have Tried ORDER BY 1-3 Query and it Shows OK status in Response

but When we send it by 4 it shows error in Response .

Documentation: SQL Injection Vulnerability Allowing Login Bypass 13

 Now we use SQL UNION Injection to check for columns in Table with NULL
parameter

SQL UNION INJECTION :

‘ UNION SELECT NULL,NULL,NULL- -

Documentation: SQL Injection Vulnerability Allowing Login Bypass 14

 Lab Solved !!

Documentation: SQL Injection Vulnerability Allowing Login Bypass 15

 Lab - SQL Injection UNION Attack to Find a Column Containing
Text

Objective
Perform a SQL injection UNION attack to identify a column compatible with string
data by injecting a random value provided by the lab. This allows further
exploitation, such as retrieving sensitive data.

1. Preparation
1. Access the Lab:

Open the lab URL in your browser.

Take note of the random string value provided by the lab (e.g., abcdef ).

2. Set Up Burp Suite:

Launch Burp Suite.

Configure your browser to proxy traffic through Burp.

Analyze the Filter Request

1. Select a Category:

Choose any category from the product filter (e.g., Pets).

Observe the application reloading or updating the product list.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 16

 2. Capture the Request in Burp:

Submit the request for the selected category.

Burp Suite will intercept the HTTP request.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 17

 send it to REPEATER

in Repeater check the Request body and note the Request Search/GET
parameters
Add ‘ (single qutation mark) at the end of
Request Search Parameter and send Request and note the Response to Check it
for SQL injection
Perform SQL Injection to Determine Column Count:

add SQL Query : ‘ ORDER BY 1- - to find out Columns in Table

, note : increase 1 until it shows Error in Response

Documentation: SQL Injection Vulnerability Allowing Login Bypass 18

 Now we use SQL UNION Injection to check for columns in Table with NULL
parameter
SQL UNION INJECTION :

‘ UNION SELECT NULL,NULL,NULL- -

Identify a Column Compatible with String Data

1. Inject the Random String:

Documentation: SQL Injection Vulnerability Allowing Login Bypass 19

 Replace one NULL value in the query with the provided string (e.g., abcdef ):

Test Each Column:

If the query returns an error or the string doesn’t appear in the response,
move the string to the next column and retry:

'+UNION+SELECT+NULL,'abcdef',NULL--

'+UNION+SELECT+NULL,NULL,'abcdef'--

Documentation: SQL Injection Vulnerability Allowing Login Bypass 20

 Verify the Exploit:

Ensure the success message appears, indicating the lab is complete.

Lab - SQL Injection UNION Attack, Retrieving Data from Other

Tables

Objective
Exploit a SQL injection vulnerability in the product category filter to retrieve data
from other tables. This lab teaches how to extract sensitive information (e.g.,
usernames and passwords) using a SQL injection UNION attack.

Preparation
1. Access the Lab:

Documentation: SQL Injection Vulnerability Allowing Login Bypass 21

 Open the lab link in your browser.

2. Set Up Burp Suite:

Launch Burp Suite.

Configure your browser to proxy traffic through Burp.

Analyze the Request

1. Select a Category:

Choose any product category from the filter (e.g., TECH Gift).

Observe the application loading or updating the product list.

2. Intercept the Request:

Capture the HTTP request for the selected category using Burp Suite.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 22

 Send it to Repeater and note Request body
Look for the category parameter in Repeater Request body and
Add ‘ (single qutation mark) at the end of
Request Search Parameter and send Request and note the Response to Check it
for SQL injection

Documentation: SQL Injection Vulnerability Allowing Login Bypass 23

 Perform SQL Injection to Determine Column Count:

Documentation: SQL Injection Vulnerability Allowing Login Bypass 24

 add SQL Query : ‘ ORDER BY 1- - to find out Columns in Table
, note : increase 1 until it shows Error in Response

Identify a Columns Data Type

1. Inject the Random String:

Replace one NULL value in the query with the provided string (e.g., abcdef ):

Test Each Column:

If the query returns an error or the string doesn’t appear in the response,
move the string to the next column and retry:

Documentation: SQL Injection Vulnerability Allowing Login Bypass 25

 '+UNION+SELECT+NULL,'abcdef',NULL--

'+UNION+SELECT+NULL,NULL,'abcdef'--

dentify Relevant Tables:

Look for table names related to users, e.g., users .

Extract User Data:

Query the users table to extract usernames and passwords. For example:

'+UNION+SELECT+username,password,NULL+FROM+users--

Documentation: SQL Injection Vulnerability Allowing Login Bypass 26

 check Response and find out Administrator and its Password

copy the user name Administrator and Password from Response

go Back to Lab in Browser and try Login in Administrator account with
username and Password

Documentation: SQL Injection Vulnerability Allowing Login Bypass 27

 Lab Solved !!

Lab - SQL Injection UNION Attack, Retrieving Multiple Values in a

Single Column

Objective
Exploit a SQL injection vulnerability in the product category filter to retrieve
multiple pieces of data in a single column. This attack targets an application where
the results of a query are returned in a single column of the application's
response.

Documentation: SQL Injection Vulnerability Allowing Login Bypass 28