18 - SQL injection with filter bypass via XML encoding

This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables.

The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user's credentials, then log in to their account.

Given : Injection point(Stock Checking), Attack type(Blind union), query's result in response, XML encoding, Table(users), Columns(username,password)
End goal : Login into administrator account

As we know the injection point, intercept the requests in the burp , which looks like -

In the bottom of the header there is a XML data which is being used to check the stock.

There are 2 entities so lets start with first entity and encode the data and query inside a entity to bypass xml encoding.

(make sure to close the hex extities in the same line instead of a new line)

In the response we can see the password of the administrator user along with product stock.

Now go to my account and login into administrator account

Lab solved :

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell