SQL Injection – with filter bypass via XML encoding | PortSwigger Lab Note #11

target： Lab URL: https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-in-different-contexts/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding# Tools Used: browser Burp suite Vulnerability Summary： Type: SQL Injection Description: This lab demonstrates a SQL injection vulnerability inside XML input. The application performs a database query using user-supplied XML data without proper sanitization. However, a weak WAF (Web Application Firewall) attempts to block common SQL injection payloads. The goal is to bypass the filter using XML encoding, extract the administrator credentials, and log in as the administrator. Steps to Exploit： 1.Check the lab scenario and identify two possible injection points in the XML request. 2.Test the XML structure by submitting some special or sensitive characters to see whether a weak WAF or input filter exists. 3.After confirming that character filtering is present, attempt to bypass the filter and determine the