This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The SQL query is executed asynchronously and has no effect on the application's response. However, you can trigger out-of-band interactions with an external domain.
The database contains a different table called
users, with columns called
password. You need to exploit the blind SQL injection vulnerability to find out the password of the
To solve the lab, log in as the
You must use the public Burp Collaborator server (
TrackingIdcookie, changing it to something like the following, but insert your Burp Collaborator subdomain where indicated:
administratoruser should appear in the subdomain of the interaction, and you can view this within the Burp Collaborator client. For DNS interactions, the full domain name that was looked up is shown in the Description tab. For HTTP interactions, the full domain name is shown in the Host header in the Request to Collaborator tab.