Tutorial Details SQL Injection Exploit in OopsSec Store

A tutorial details the exploitation of a SQL injection vulnerability in OopsSec Store, a deliberately vulnerable Next.js application designed for security training. The vulnerability is located in the product search functionality accessible via the endpoint /api/products/search?q=. The backend code uses direct string interpolation with $queryRawUnsafe instead of parameterized queries, allowing the injection of SQL commands. The exploitation is carried out by submitting the payload "DELIVERED' UNION SELECT id, email, password, role, addressId FROM users--" which merges data from the users table with the search results. The recommended fix is to use the Prisma query builder with structured filters and the contains mode instead of constructing raw SQL queries. The application should only be deployed in isolated local environments for educational purposes.