Burp Suite User Forum

Login to post

Why simple quote is necessary in SQL Blind Injection using TrackingID?

s4rt0rium | Last updated: Dec 16, 2021 10:41PM UTC

I'm in first lab of Blindd SQL Injection and payload for test is: TrackingId=xyz' AND '1'='1 Why is necessary this quotes in '1' and '1?

Ben, PortSwigger Agent | Last updated: Dec 17, 2021 02:50PM UTC

Hi, You are using the single quotes to manipulate the underlying SQL query that the web application is making. The query being used is likely to be something similar to this (using a made up TrackingID value): SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'abcdefg' By entering the injection suggested in the solution you are manipulating the SQL query being used to be: SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'abcdefg' AND '1'='1' This allows you to use the AND conditional statement to determine what happens both when the statement is true and when the statement is false.

You need to Log in to post a reply. Or register here, for free.