Xperienced TV

SQL Injection Basics: Retrieving Hidden Data

In this part of my cybersecurity learning journey, I worked through a PortSwigger Web Security Academy lab about getting hidden data using SQL injection techniques.

They used the example of a shopping application that shows products in different categories. You click on a category and it shows you the contents of that category:

PortSwigger WebSecurity Academy’s vulnerable application

We’re interested here in the query string at the end of the URL. In this case it’s

?category=Accessories

That gets sent to the backend where the application uses it to query a database. The lab explained the SQL query may look something like this:

SELECT * FROM products WHERE category = 'Accessories' AND released = 1

To be completely honest, as a beginner, I did wonder:

How would I know about the “AND released = 1” part just from looking at the query string?

The answer is: I probably wouldn’t know from the query alone… But hey-ho. I guess it’s just for the purposes of showing us a simplified version of what goes on behind the scenes. In a real-world situation we’d probably be testing the application’s behaviour and making guesses based on its responses.

So to break it down, that SQL query runs like this:

Hey database! SELECT everything FROM the products table
WHERE the category is Accessories
AND WHERE released is equal to 1. K thx bye.

Suspending the disbelief that I would know about the released=1 condition for a moment (and assuming that released=0 is for unreleased products let’s assume that the app doesn’t have any defense against SQL injection at all. We can try and attack it by changing that query string to something like:

?category=Accessories'--

You can see we how have another product showing called “Cheshire Cat Grin”. Basically we made an alteration to the SQL query that the application would send. Now it would be something like this:

SELECT * FROM products WHERE category = 'Accessories'--' AND released = 1

Notice that double dash? In SQL, that indicates what follows next is a comment and should be ignored. Therefore it’s completely removed from the query. So now we’re gettling all the accessories!

We can also do something similar for get absolutely everything by changing the query string to:

?category=Accessories'+OR+1=1--

That gives us the SQL query:

SELECT * FROM products WHERE category = 'Accessories' OR 1=1--' AND released = 1

The key part here is:

OR 1=1

This works because 1=1 is always true. So now we’re saying:

Hey database! SELECT everything from the products table
WHERE the category is 'Accessories'
OR you know... Whatever. K thx bye.

This works because we are now asking for a catergory called ‘Accessories’ OR any category that is true. This basically means it contains any value except false or 0. This makes it output everything in the products table and it also clears the lab!

Important warning

One thing the lab points out is that even a simple-looking injection like:

OR 1=1

can be dangerous!

It might seem harmless when you are only retrieving products from a test shop, but some applications use the same input in multiple database queries.

If that injected condition reached an UPDATE or DELETE statement, it could potentially modify or delete far more data than intended.

So this is something to practise only in safe, legal environments like PortSwigger Web Security Academy labs, deliberately vulnerable apps, or your own test systems.

What I learned

The main thing I took away from this lab is that SQL injection is not magic. It is about understanding how user input can accidentally become part of a database query.

The category value in the URL looked harmless, but because the application trusted it too much, it was possible to change the logic of the SQL query.

That is why secure applications need to validate input properly and, more importantly, use safe database queries rather than directly building SQL strings from user input.

Later, we’ll look at ways to mitigate these problems, but not before exploring more SQL injection vulnerabilities! So thanks for sticking around and learning. Until the next time, until the next tutorial: Catch you later! Bye bye!

What Is SQL Injection? A Beginner’s Introduction

Information

Okay, so here we go. First attempt at actually learning something to do with CyberSecurity! Kind of exciting and a little nerve-wracking, to be honest.

Today’s topic is SQL injection.

As a web developer, I’ve heard of this a lot before. It’s one of those things that’s been around for ages and, quite frankly, isn’t something that I’ve ever actually tried or thought about since I left PHP development many years ago. I vaguely remember doing mitigating things when I had to access the MySQL backend of one of the first versions of Xperienced (back then, I believe we were Experienced.tk because the domain was free or the cheapest option). Truly premium web development… Enterprise grade… Obvs…

Modern day SQL injection? I’ve got no clue about that… So these articles are me taking notes as I start learning.

What is SQL injection?

From what I understand so far, SQL injection is a vulnerability that will allow an attacker to interfere with database queries that the application makes to its backend.

That can mean an attacker is able to view data they should not be able to see, such as hidden records, user information, or other sensitive data that should not be publicly accessible.

In more serious cases, SQL injection can be used to change the behaviour of an application, modify data, bypass login checks, or potentially create a way for an attacker to maintain access for a longer period of time.

Some attacks can even escalate further, depending on the application, database permissions, and server setup.

In short: it is not just “getting extra rows from a database”. It can become a much bigger problem.

We’re in for some fun, it seems…

What does a successful SQL injection look like?

So the goal of an SQL injection attack is to gain unauthorised access to sensitive data.

Trying to get passwords, credit card details or PII (peronally idenentifiable information). A lot of data breaches we hear about have come from SQL injection attacks or similar weaknesses and cause a lot of reputational damage and, in some cases, huge fines from governing bodies or regulators. In some cases, the attacker can leave themselves a persistent backdoor into the system for a long-term exfiltration of information that may go unnoticed for a very long time…

Very cheerful stuff… O_O

Detecting SQL injection vulnerabilities

Whilst there are tools to automate the process (like Burp Scanner) there are ways you can do this manually by testing against every entry point one by one. Entry points could include:

URL parameters
search boxes
login forms
filters
cookies
request headers
hidden form fields

A common starting point is the single quote character:

If entering a quote causes an error or unusual response, it may suggest that the input is being handled unsafely in a SQL query.

Other common testing approaches include using SQL-specific syntax that should either preserve the original query or change its behaviour. The aim is to compare the application’s responses and look for differences.

Boolean conditions are another common technique, such as:

OR 1=1

and

OR 1=2

The first condition is always true, while the second is false. If the application responds differently to each one, that may indicate that the input is affecting a SQL query.

There are also time-delay payloads, where the database is instructed to pause before responding. If the application suddenly takes longer to load, that can be another clue.

Another technique is OAST, which stands for Out-of-band Application Security Testing. This involves trying to make the target application interact with an external system controlled by the tester. If that external interaction happens, it can reveal that the payload was executed somewhere on the backend.

WHERE to do the SQL injection?

So a lot of attacks happen and vulnerabilities exist within the WHERE clause of a SELECT statement. They can also happen at other locations in the query as well for example:

UPDATE → within the updated values or the WHERE clause
INSERT → within the inserted values
SELECT → within the table or column name or the ORDER BY clause.

So while the classic SQL injection example is usually something like a login form or category filter, the vulnerability can appear wherever user-controlled input is included unsafely in a database query.

How to do an SQL injection attack?

There are several different SQL injection techniques, depending on the application and how it responds. The ones I have seen so far include:

Retrieving hidden information

This is where SQL injection is used to return additional results from a query. For example, a shop might normally show only released products, but a vulnerable query could be manipulated to also show hidden or unreleased products.

Subverting the application’s logic

This is where the injection changes the logic of the application. A classic example would be interfering with a login query so the database condition always evaluates to true.

UNION attacks

A UNION attack can be used to retrieve information from other database tables. For example, if a vulnerable page normally returns product information, a UNION attack might try to make it return usernames or other data from a different table.

Blind SQL injection

Blind SQL injection happens when the results of the query are not directly shown in the application’s response. That makes it harder to test, because instead of seeing the data directly, you have to infer what is happening from things like:

different page responses
error messages
time delays
external network interactions

It sounds slower and more awkward, which probably means it is exactly the kind of thing I will end up spending hours stuck on later.

Learning safely

For these articles, I am using PortSwigger Web Security Academy as my main learning resource.

I am not sponsored or affiliated with them. They are simply the tutorials and labs I found, and they seem like a safe and legal way to practise. That part is important.

SQL injection should only be tested in environments where you have permission. That means intentionally vulnerable labs, training platforms, or systems you personally own and control.

Do not test this on random websites!

Aside from being illegal, it could cause real damage.

What I have learned so far

The main thing I have taken away from this introduction is that SQL injection is about trust. If an application takes user input and includes it directly in a database query, an attacker may be able to change what that query does.

That could mean retrieving hidden data, bypassing logic, extracting information from other tables, or causing far more serious damage depending on the system.

As a developer, this is especially interesting because it connects directly to how applications are built. It is not just an abstract “hacker thing”. It is a consequence of insecure coding patterns, poor input handling, and unsafe database queries.

Next, I will start working through some practical examples and seeing how these vulnerabilities actually behave in a controlled lab environment.

Episode 2: First Steps Into Cybersecurity

Well, the second video is up. This one doesn’t really go into much detail, but we are setting up a small hacking lab. This will be focussed on web security to start with, so bear with me. Also, there’s a lot of attempts at trying to get some form of script for these things, but I still end up waffling on…

Anyway, with that all said and done, I now have a workstation and a target in my first ever mini hacking lab. Admitedly it’s not the greatest, but it’s done with things I had laying around and is therefore cheap and cheerful.

As mentioned in the video, I could have done everything on one machine. Since WebGoat is bound to a localhost port, it would also have made things a little easier. However this felt like a more realistic approach. I’m not going to have physical access to some things and in the real world a lot of apps wouldn’t be running in a docker container on my machine. I don’t know… It made sense to me at the time.

This first version of the lab I set up Kali Linux on and old Intel NUC that was originally running Windows 10, and that was as simple as downloading an ISO form Kali’s website, using Balena Etcher to create a bootable USB stick and running that from the boot menu of the NUC. Pretty much kept the defaults and let it do its thing.

The only problem I ran into was the latest version of Balena Etcher not working properly when I tried to load the Kali ISO. A quick search around the internet revealed that rolling back to v1.18.11 would work and, surprisingly, it did.

Setting up the Pi is pretty simple as well. The Raspberry Pi Imager makes it easy to flash the OS to an SD card and, despite the verification failing each time I tried, the Pi booted up alright. From there, I installed Docker through a command line script and pulled the WebGoat image down as well.

Running WebGoat takes ages on that Pi 4… Still, it did eventually run, so that was a relief.

In Kali Linux, I was then able to SSH into the Pi 4 and run docker with WebGoat from there. Again, it took ages to boot up, but it got there eventually.

Burpsuite next. Kali already somes with BurpSuite installed, so just needed to make sure I was on the latest version. The Community Edition will be fine for this. Could also downlaod it from their website, but didn’t need to on this occasion.

With that up and running, switch over to the proxy tab and launch the browser from there (making sure intercept is on). The Chromium browser that loads up is now connected to BurpSuite. Anything I navigate to in there will show in Burp for inspection. Just don’t forget to forward the requests when you’re done inspecting or altering.

And that’s it. That’s the first version of our lab set up. It’s simple. It’s not the fastest. It works. Onwards and upwards! Now I can settle in and learn some exploits before coming back to do another video on what I’ve learned! Can’t wait to share the progress with you all!

There are other electronics projects that I’ve got ready to go, though… But I’ve already bored you with those in another blog post.

If you’re still reading: Thank you very much for dropping by and until the next time, until the next blog post: Catch you later! Bye bye!

Electronics Projects Pipeline

The second video is currently in progress, and I just wanted to talk about things coming up on the channel. I’ve been talking about what I want to do with cybersecurity and electronics, but didn’t want to pad out the video too much by going into details. Luckily I can whack some stuff into the blog and if you want to read it, you can. If you don’t, at least it gives me an outlet to think through my ideas and either get really excited boaut them or realise how ridiculous they sound. So here is everything that I have in my little brain at the moment:

Digital Computer Electronics

The series kind of stopped in the transistor section… There were supposed to be three videos talking about transistors and only ended up having two. I would like to restart this from the beginning and whilst the original videos gained a couple of thousand views in total, I’m going to delist them and start again. There were some things in those vids I wasn’t happy with, and feel like they need a fresh approach. The ultimate aim of that series is to end up building some modules and parts for a basic ‘computer’. It probably won’t be pretty, but it’ll teach me and hopefully you a bit about the internal workings of computers. Ben Eater’s breadboard computer it won’t be… I’m not that good.

Pachi Systems

For anyone that has ever seen my GitHub and wondered (https://github.com/PachiSystems) where did that name come from? It’s because I own two Japanese pachislot machines. I’ve had them for over 20 years and after getting the first one, I was obsessed with building what’s called a ‘battle counter’ for them. These things plug into a board the machine and either connect to a flashy thing that goes on the top, or to a central computer system operated by the parlour. The software and hardware for these can be quite expensive and incredibly difficultt o find outside of Japan and the pachinko industry, so I wanted to make my own. I even went down the rabbit hold of learing how to program for PIC microcontrollers and use that to figure out what the machines are doing in each of their states… All that research has been lost, but the desire to finish what I started remains. I’m thinking of making a series of videos that explore how I go about decoding these machines again and building a tracking system with modern microcontrollers like the Pi Pico, ESP32 or similar boards that can wirelessly connect to the internet or a piece of software to provide realtime updates on the status of the machine.

Dungeons & Dragons

I love playing Dungeons & Dragons. Although I do play other TTRPG games, D&D is the one I’m probably playing more than most. I like to run games for my friends and enjoy playing in a local group regularly as well. One thing I love about prepping a game is thinking of how I can provide some kind of physical interaction to the world I’m presenting. Before I’ve handed out printed materials, then I started with 3D printed items and I did try to create an electronic puzzle, but unfortunately it decided to play silly buggers when I transferred it from a breadboard to a vero board… This time, I want to do this again from scratch and make something that could potentially be used multiple times in different scenarios. It’ll use NFC, audio, visuals and possibly have to have some 3D print and laser cut stuff to go with it… Should be an interesting little project.

Escape Room

If there’s one thing I love more than TTRPGs, it’s escape rooms. The physical puzzle element really gives me a massive dopamine rush and being immersed in that is the best escape I can get from day to day routine. I’ve always been fascinated by how they’re put together and at one time I was even trying to figure out if I could go into business with my own escape room. But I didn’t have the money to do it. Plus I didn’t have the skills to create props, and pre-bought ones are quite pricey. However, there were some amazing videos out there. One channel that really made an impact on me was Playful Technology. I even learned a lot about MQTT and Node-RED. I never got to the point where I could do much apart from some simple things, but I had an idea for an escape room in a case/box that’s not the usual ‘defuse the bomb before time runs out’… Or ‘stop the nuclear launch’. This one is a bit more dystopian and there are three different endings based on what the user does once they’ve solved it… I’m quite excited about this one. It might cost a bit more than the other ones to make as I don’t have all the stuff, but it’ll be a really fun journey.

F***ing Cheap Flipper Zero

The Flipper Zero has had my attention for a long time now. The ability to store RFID, NFC, IR, and Sub-GHz data on one little device has fascinated me. It’s also got a lot of other uses that I would love to learn about. Since I couldn’t afford one, I thought there must be a way to build one. Recently I found some information online about the FCFZ which is pretty much a straight clone of the Flipper Zero, but you can build it yourself. I have most of the parts, so I’m thinking of building one from scratch and showing you how to do it as well. The only tutorials I’ve found at the moment are a bit hard to follow along with, so my aim would be to make it a bit more simpler to follow along with along with learning how to use it together. If at some point I manage to get a real Flipper Zero, we can also learn how to use that together. I’ll also be building a pwnagotchi, but having done that before I can say it’s a lot easier. Using one, however, I still have no clue about…

So that’s the current pipeline for electronics projects. I’m planning to continue on the cycber security with web hacking, so will be doing videos on the basics of HTTP and request manipulation. Stay tuned for those, but thanks for reading and until then next time, until the next blog post: Catch you later! Bye bye!

Welcome to XPtv!

I’m diving into a bit of nostalgia while picking up some new skills. It appears WordPress hasn’t changed much since the early 2000s… Still the same familiar setup. For now, this theme will do until we grow and decide on a fresh layout. Meanwhile, feel free to bookmark the site, check out the YouTube channel at https://youtube.com/XperiencedTV, and stay tuned for what’s next.

Oh yeah… Apologies for what’s about to happen in the next few days on there… Apparently you gotta publish shorts now to get pushed up the algo, so … yeah…