Burp Suite User Forum

Create new post

Support on this SQL statement

Moses | Last updated: Aug 03, 2021 10:45AM UTC

Hello, so been learning about Webapp pentesting through the Academy Module on Portswigger. Its been a good ride can say, since I didn't have prior knowledge about WebApp Security and above all learning the Burpsuite tool and other tools. I am totally happy about it. So I encountered this SQL statement during Blind SQLi and it has been giving me a tough time. A little support could do. Find it below: ' AND (SELECT 'a' FROM users LIMIT 1)='a And what does also this SQL statement translate to: ' AND '1'='1 and what's the difference between ' AND '1'='1 and ' OR '1'='1 Also on some occurrence I can't use ' AND '1'='1# or ' OR '1'='1-- (comment # -- out sign that is) Kindly note the or and and in small letters are just comparison operator in those my questions.

Michelle, PortSwigger Agent | Last updated: Aug 03, 2021 02:32PM UTC

Thanks for your message, it's great to hear that you're enjoying the Academy labs :) Are your questions in relation to the lab 'Blind SQL injection with conditional responses'? If so, what these statements are aiming to show is whether something is true or false and so work out if something exists. The AND statements allow you to combine the TrackingID with another test, the overall result will only be true if both parts of the statement (either side of the AND) are true. So, if the TrackingID is wrong but the second statement is correct then the "Welcome Back" message will not be displayed. The same applies vice versa, if the TrackingID is correct but the second half of the statement is false, the "Welcome Back" message will not be displayed. If you used OR only one of the two statements has to be true for the overall result to be true. I hope that makes sense/helps! Is there a particular step in the solution that's causing you problems?

Moses | Last updated: Aug 04, 2021 09:10AM UTC

Thanks for your response Michelle, yes it was based on the Blind SQLi with conditional responses. You were very clear on it and wish you could see the smile on my face as I read it because that's something new learnt today. I appreciate it. On the same could you kindly help me out on the following: ' AND (SELECT 'a' FROM users LIMIT 1)='a And why do we've the extra single quotes on the SQL statement we injecting below (Blind SQLi with conditional responses using the TrackingID) ...xyz' AND '1'='1

Michelle, PortSwigger Agent | Last updated: Aug 05, 2021 12:27PM UTC

Hi For your first question, have you watched the community videos that are linked to the lab? You might find the one by Rana Khalil useful, as well as the demo of the labs there are some good descriptions of what the SQL commands are doing that might help you to understand a bit more of the background and fill in some more detail. For your second question about the quotes, I'd suggest popping back to one of the earlier pages in the Academy resources. I often find it's really helpful to go back and look at some of the earlier examples to help understand examples later on that may be a little more complex. You might find the section 'Retrieving hidden data' on this page https://portswigger.net/web-security/sql-injection useful, this gives some examples of URLs and SQL queries that are then generated by the application being discussed. In the first example, you can see how the following URL does not include single quotes, but this URL causes the application to make a SQL query that has inserted the word Gifts into the appropriate part of the SQL statement: (Extract from https://portswigger.net/web-security/sql-injection) When the user clicks on the Gifts category, their browser requests the URL: https://insecure-website.com/products?category=Gifts This causes the application to make an SQL query to retrieve details of the relevant products from the database: SELECT * FROM products WHERE category = 'Gifts' AND released = 1 The subsequent examples on the same page then show this being built upon and how, by thinking about the actual SQL statement that's being generated/built by the application, you can start to influence the results returned. Good luck with the labs!

Moses | Last updated: Aug 06, 2021 11:20AM UTC

Hey thanks for the response. Had already worked on the previous labs and they helped to build my skills on each subsequent step. As always there are always questions that arise. I worked on Blind SQLi with conditional responses, did some more digging on them and actually I did identify that the Lab on this topic has a PostgreSQL. I did more tests on them and actually made notes of that lab and noted a lot. For example on this, ...xyz' AND '1'='1 I noted that there were no extra SQL that were being processed in that query hence if tried ...xyz' AND '1'='1-- it will be 'executed' but then logically it will be incorrect hence the structure of the query I am testing can be ...xyz' AND '1'='1' ending with a ' at the end. Thanks for your support I am so grateful for that. Will keep this chat open maybe on arise of any questions I drop them here. Will help in answering a million plus questions that I see them on community videos. Blessed.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.