Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

About the Web Academy content

Ezau | Last updated: Nov 15, 2021 06:44PM UTC

Hi. I'm completely new to hacking and I'm learning web hacking through the academy here. I've noticed that some labs in the academy have it's contents differing from the solutions provided by the academy. For example: In this learning material about blind sql injection (https://portswigger.net/web-security/sql-injection/blind), you can see that the material teaches the following command: xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm I spent like 4 hours trying to solve one of the labs for this topic (this lab: https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses) with no success, till I decided to see the solutions provided. At the solution, I discovered the command was wrong. To solve the lab, it's used the following command: xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')>'m Look at the difference between the two commands. It's like the SELECT and SUBSTRING words were in the wrong position (the SELECT comes first in the right query). Another lab this kind of thing happen is this (https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors), where the learning material shows this code: xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a and the solution provided use this kind of code: xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)|| Look at the double pipes "||" used. They were not mentioned in the learning material for this lab. I noticed this kind of thing happens in more labs (I already found 4 or 5 labs like these). I came here to ask if the content of the web academy isn't updated or if this kind of thing is done on purpose, hoping that the student can discover this kind of error in the code, so I feel dumb for not solving the lab without seeing the solution. So, I came here to ask this because when I get stuck in the labs and read the solution provided, I usually find that to solve the lab is needed something that was not mentioned in the learning material. Is the content not updated or it's just that I'm not getting things right? Thanks!

Michelle, PortSwigger Agent | Last updated: Nov 16, 2021 02:17PM UTC