Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Broken Lab: Visible error-based SQL injection

root-at-iyn | Last updated: Jul 04, 2023 02:38PM UTC

This lab was broken, it kept on giving same the error message: "Unterminated string literal started at position 95 in SQL SELECT * FROM tracking WHERE id = 'jUp8oNzaKr4pzj9y' AND 1 = CAST((SELECT password FROM users L'. Expected char" I tried looking at the solution for the lab to make sure I'm not wrong, but the solution is the same. We should have seen a response like: "ERROR: invalid input syntax for type integer: "{PASSWORD VALUE}". I tested with the payload listed in the lab solution as well. Anyone else notice this? I've just come across this today, and sadly wasted hours before checking the solution :D

Ben, PortSwigger Agent | Last updated: Jul 04, 2023 04:17PM UTC

Hi, I have just run through this lab and it appears to be working as expected. Are you able to provide a screenshot of the request that you are sending when you see this particular error so that we can see exactly what you are sending? Out of interest, do you have spaces in the 1=CAST portion of the query (so do you have this as AND 1 = CAST...?).

root-at-iyn | Last updated: Jul 04, 2023 07:43PM UTC

Hi, Thanks for the response. The example below was done using python requests library, but I've tried in Burp as well with the same payload, and I get the same results. The payload I'm sending is: TrackingId=MU2QtC4pem9PdAXB' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)-- The request and server response page is below: ***** SENDING REQUEST ... ***** GET /filter HTTP / 1.1 Host: https://0a6a0021048e77d58515d67c00d40088.web-security-academy.net User-Agent: python-requests/2.31.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Cookie: TrackingId=Ev5TFIOKCGzyLBji' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--; session=IvCNqQyB2mIxP6Fihta4UtTSv4voILOi ***** RECEIVED RESPONSE ... ***** Status: 500 Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Encoding: gzip Connection: close Content-Length: 888 <!DOCTYPE html> <html> <head> <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labs.css rel=stylesheet> <title>Visible error-based SQL injection</title> </head> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class='academyLabBanner'> <div class=container> <div class=logo></div> <div class=title-container> <h2>Visible error-based SQL injection</h2> <a id='lab-link' class='button' href='/'>Back to lab home</a> <a class=link-back href='https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based'> Back&nbsp;to&nbsp;lab&nbsp;description&nbsp; <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow> <g> <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon> <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon> </g> </svg> </a> </div> <div class='widgetcontainer-lab-status is-notsolved'> <span>LAB</span> <p>Not solved</p> <span class=lab-status-icon></span> </div> </div> </div> </section> </div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> </header> <h4>Unterminated string literal started at position 95 in SQL SELECT * FROM tracking WHERE id = 'Ev5TFIOKCGzyLBji' AND 1=CAST((SELECT password FROM users LIM'. Expected char</h4> <p class=is-warning>Unterminated string literal started at position 95 in SQL SELECT * FROM tracking WHERE id = 'Ev5TFIOKCGzyLBji' AND 1=CAST((SELECT password FROM users LIM'. Expected char</p> </div> </section> </div> </body> </html>

Michelle, PortSwigger Agent | Last updated: Jul 05, 2023 08:27AM UTC

Hi Looking through the response, the query you sent has been truncated. This is similar to the stage of the lab described in steps 12 and 13 of the lab solution. If you remove the original value of the tracking ID from the request you're sending, that should free up some characters that your query can then use. I hope this helps. Please let us know if you have any questions.

root-at-iyn | Last updated: Jul 05, 2023 09:16AM UTC

Thanks Michelle, I'll kick myself for that one, I didn't take note in the solution or even think of that.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.