Solve Portswagger Lab
SQL injection with filter bypass via XML encoding
This challange prevent you from inject sql query, WAF detecteing your query so you need to obfuscate your payloads.
NOTE: In this tutorial we will try to get all database information we will not depend on information about tables that supplied to this challange.
Steps:
1- Fire your weapons | Burp and access lab
2- Intercept POST request you will see that paramters passed in XML format
3- Try to send any sql syntax and send post request, you will see that waf detect your attack
4- So we need to obfuscate our payload you can use hackvertor or encoder here is used html encoder to obfuscate payload then i tried to run simple query to see if i bypassed waf or not
5- Yes payloads bypassed to we need to develop query to retrive information from this DB
This query for return all database tables and then know columns for selected tables and the final one to retrive data from selected table
– UNION SELECT table_name FROM information_schema.tables
– UNION SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = ‘users’;
– UNION SELECT CONCAT(username,’ -> ‘,password) FROM users;
Finaly we solved challange