SQL Injection

SQL injection - also known as "sqli" and short for sequel injection - is one of the most commonly used hacking strategies.
Even today it is still posing a great threat to many online services with improper security.

TASK

  Below are different vulnerable SQLi targets. Think of those pages as an online store.
  Try to obtain the 'date of birth' and 'products ordered' from any customer.
  Pick your desired target and take into consideration the different levels of security that may apply for each sector.

  Online Store for Electronics
  Online Store for Model Trains
  Online Store for Flowers

INFORMATION

  The method of SQLi is based on escaping the matrix... more or less.
  Commonly you will be using search forms and input fields.

  Example:

     Input "Banana" into a search box.
     The site will instantly answer with "Here are possible Banana results".
     
     Now, if you instead input "Banana´ AND sleep(100)" it will wait 100 milliseconds before answering.
     
     You can now inject different characters and sql statements and see what results you get.

0x9 Pentesting Lab

SQL Injection

SQL injection - also known as "sqli" and short for sequel injection - is one of the most commonly used hacking strategies. Even today it is still posing a great threat to many online services with improper security.

TASK

INFORMATION

SQL injection - also known as "sqli" and short for sequel injection - is one of the most commonly used hacking strategies.
Even today it is still posing a great threat to many online services with improper security.