PortSwigger Academy Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
Task
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
Attempt
You can filter the results with categories. In inspected the get request to https://ID.web-security-academy.net/filter?category=Accessories. Sent it to Repeater and tested category='. It gave an internal server error, potentially indicating sqli (though it’s obvious from the task description lol)
Tried to know how many columns there are:
1'+UNION+SELECT+NULL,NULL--+-
Bingo. So there two columns. What I needed to know was the data base version:
1'+UNION+SELECT+NULL,VERSION()--+-
Hard to look for the response so I tweaked the query a bit:
1'+UNION+SELECT+NULL,CONCAT('MySQL Version: ', VERSION())--+-
But actually I didn’t need to do this because just showing the version on the page would solve the lab.
Mitigation
Use prepared statements