Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

3 SQLI labs are not working

Omer | Last updated: Jun 11, 2022 11:52AM UTC

Hello, This is a bug report about your labs, NOT Burp Suite. I posted it here, because this is the only forum I found. The labs listed below are not working. I even copied and pasted the answers from the solution section but they did not work either. Have a look yourself; https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle

Ben, PortSwigger Agent | Last updated: Jun 13, 2022 08:15AM UTC

Hi Omer, The labs are working as expected. For the 'SQL injection attack, querying the database type and version on MySQL and Microsoft' lab - are you simply copying the provided payload directly into the address bar of the browser or are you using Burp? If it is the former, you need to consider whether a certain, special character needs to be encoded (if you send the payload using Burp, Burp does this for you). For the other three labs, you cannot simply copy the written solution - as the solution mentions, you need to discover the names of the columns and tables unique to your lab instance and use these within the payloads you are sending (each lab will generate unique table/column names).

Omer | Last updated: Jun 14, 2022 01:18AM UTC

YESSSSSSSSSSS, All of them worked PERFECTLY after doing what you've said. It was my fault. The confusing thing for me was, however, enumerating the DB versions. It worked in the first (Oracle) lab when I did it from my browser, but the second one (MySQL) was iffy. I was expecting it to work just like the former one from my browser. LOL... Thanks for your help. HEY! Here is a recommendation that just came to my mind after seeing your new JWT labs... ... How about adding Prototype Pollution labs? I see them everywhere lately.

Ben, PortSwigger Agent | Last updated: Jun 14, 2022 08:25AM UTC

Hi Omer, Not a problem - glad to hear that you were able to solve them in the end. Thanks for your suggestion - we will pass it onto the Academy team.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.