SQLi - [PortSwigger]

Introduction

Compillation of all apprentice and practitioner SQL injection labs from PortSwigger Academy.

SQL injection vulnerability in WHERE clause allowing retrieval of hidden data [Apprentice]

SQL injection vulnerability allowing login bypass [Apprentice]

SQL injection UNION attack, determining the number of columns returned by the query [Practitioner]

SQL injection UNION attack, finding a column containing text [Practitioner]

SQL injection UNION attack, retrieving data from other tables [Practitioner]

SQL injection UNION attack, retrieving multiple values in a single column [Practitioner]

SQL injection attack, querying the database type and version on Oracle [Practitioner]

SQL injection attack, querying the database type and version on MySQL and Microsoft [Practitioner]

SQL injection attack, listing the database contents on non-Oracle databases [Practitioner]

SQL injection attack, listing the database contents on Oracle [Practitioner]

Blind SQL injection with conditional responses [Practitioner]

Blind SQL injection with conditional errors [Practitioner]

Blind SQL injection with time delays [Practitioner]

Blind SQL injection with time delays and information retrieval [Practitioner]

Blind SQL injection with out-of-band interaction [Practitioner]

Blind SQL injection with out-of-band data exfiltration [Practitioner]

[SQL injection with filter bypass via XML encoding](SQL injection with filter bypass via XML encoding) [Practitioner]

Reading the statement, it is known that the option check stock is vulnerable to SQL. However, trying to perform a simple SQLi attack, it is obtained the following result.

Payload:

Response:

However, by encoding the character ' in XML format it is possible to obtain a result.

Because it seems to be a UNION SQLi, let's try to obtain the database.

Because the structure of the database is known for previous exercises, it is possible to extract everything all at once.