SQL injection with filter bypass via XML encoding

7:30 Boom! Thanks for the great walktthrough!

sackwhacker

hey, you had a mistake at 4:54. you click on the dec_entities, and this is wrong, that was the hex_entities. Because my lab showing me a 0 unit error.

iamagastya

Thanks for making the content and explaining, appreciated \o/

JuanBotes

thank you it worked for me you are explaining very good

mike-nnmq

Sir if u r reading this comment plz tell me why didnt u try to inject in the product id section of the xml in the first place because i tried few queries OR 1=1 and OR 1=2 and the result changed on the basis of the query which means sql injection is possible there as well but i cannot retrieve the user credentials in the same manner as i was able to do in the store id please tell me. THANKS FOR THE WALKTHROUGH

AnishKumar-tu

Today I tried with same payload but got attack detected! Not sure how to fix

ProsenjitManna

Why are you sleeping while making videos, btw good content

stepbroimstuck