01 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

Given : Injection point (product category)
End goal : perform a SQL injection attack that causes the application to display one or more unreleased products.

As the challenge suggested to find the sqli in product category filter, I started the lab by clicking on 'ACCESS THE LAB' button. On the webpage , below are the product categories -

when a user clicks on any category then a query is made to the database containing the category name. I started burp suite to intercept the request. Request of product category filter look like -

putting an ' at the end of gifts gives 500 error which means a database error. as we know the query which is :
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
we can add ' or 1=1 --to comment out the released filter. Then the modified query in backend would be -
SELECT * FROM products WHERE category = 'Gifts' or 1=1 --' AND released = 1
It shows all the products including thoes who are not released yet.

Lab solved:

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell