Burp Suite User Forum

Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Niko | Last updated: Mar 26, 2020 07:14AM UTC

Hi, How do i solve this? I think there may be a problem because whenever i try to solve it, it always goes to a "Invalid Product ID" and it's strange because i even looked at the solution after my SQL codes didn't work and it still didn't work when copying the solution. This is the code i used in BOTH the URL and in burp (the header) '+OR+1=1-- I even tried this one: 'OR 1=1-- Yhis still didn't work. I was always redirected to "invalid Product ID". I tried keeping the ID with the SQL query afterwards but still no change. I think the lab must be a bit defect or am i doing anything wrong? Thanks for your assistance!

Hannah, PortSwigger Agent | Last updated: Mar 26, 2020 11:03AM UTC

Can you confirm that you are staying on the root page and using the filters as the injection point? I have just tested this lab with the solution provided and can confirm it is all working as expected.

You need to Log in to post a reply. Or register here, for free.