Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This application has SQL vulnerability in the product category filter.

We choose the Accessories filter and it displays 3 products.

When trying to exploit the application we added an single quote at the end (’) at the end of the URL and the application returned an error.

If we add two dashes (- -) the application returns with a 200 OK Response. Now the application returns 4 products

We can assume that the query is like this SELECT * FROM products WHERE category = 'Accessories' AND released = 1

To display the unreleased products we added the following ' OR 1=1-- and we successfully displayed all products