Burp Suite User Forum

Login to post

Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft [Broken]

Brendan | Last updated: Jan 21, 2020 02:50AM UTC

I'm pretty experienced with SQL injection. I've been doing this lab and I even copied and pasted the answer from the solution section into the proper category and it still is returning a database error. The lab is broken please fix.

Devaraj | Last updated: Mar 09, 2020 06:58PM UTC

Yeah, I also did exactly what you did, @Brendan, and am receiving errors. Please fix the lab.

Ben, PortSwigger Agent | Last updated: Mar 09, 2020 07:13PM UTC

Hi, I have just tried this lab and was able to successfully solve it using the solution provided so the lab is working. The solution will work as stated when you are using Burp to issue the modified request (either via the Proxy or Repeater). If you are entering the payload directly into the browser you will have to think about how to encode the # character (# is a reserved character).

Rohit | Last updated: Apr 27, 2020 10:23AM UTC

This Lab is working fine If you are trying directly from Browser try %23 for(#) and dont forget to put = sign after category i.e category=payload

moyerap | Last updated: Nov 04, 2020 04:22AM UTC

Hi, I am using '-- ' i.e. 'hyphen hyphen and space' for commenting, even then it isn't working. Any ideas as to why it won't be working there ? Thanks.

Luke | Last updated: Jan 07, 2021 03:18AM UTC

If you look at the reference you can see that MySQL requires a space after a -- comment, the browser is probably removing it or you weren't using it, you can append a + to the end to specify a space i.e --+ or use the above method.

You need to Log in to post a reply. Or register here, for free.