Problem Statement :
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
In this problem, the first step is to find out which type of database is used and what is the version of the database?
Basically, we know in portswiger labs. They are using these 4 types of DB’s.
- ORACLE
- Microsoft
- PostgreSQL
- MySQL.
Note : If you refer to the Cheat-Sheet, you will find the query, which will allow you to get the version of the database used. Based on that you will have to choose the query below and run it.
Since we are using Time Delay here in this problem, so we will have to run each version query and find out which one will work.
Time delays
You can cause a time delay in the database when the query is processed. The following will cause an unconditional time delay of 10 seconds.
| Oracle | dbms_pipe.receive_message((‘a’),10) |
| Microsoft | WAITFOR DELAY ‘0:0:10’ |
| PostgreSQL | SELECT pg_sleep(10) |
| MySQL | SELECT SLEEP(10) |
Before we start with the lab, we have to first try the above queries and find out which query works on this database. Based on that we will get to know which database this lab is using.
Now next thing is we cannot directly run these quires in the burpsuit. Because, in order to execute these queries we need to know what are the ways to 2 query at the same time right.
Note– The website is already sending trackingID query now in between this we have to add our query so that we can manipulate the response. Check this under Burpsuit.
We can do this in multiple methods.
Demo on actual postgresSQL database below.
Method 1 – Using string Concatenation.
Method 2 – Using semicolon, which then helps us separate multiple SQL statements in a single strong or within a script.
Demo on BURPSUIT.
Lets try this inside Burpsuit and find out how it works.
- First verify the user name administrator is available inside the database or not.
- Next check if the length of the password for administrator user is grater than 1
Here in my case the password is more than 40 char.
The below example is to extract the data from the database.
Here we are checking the char of the password one by one.
That’s our credentials –
Example –
When running this query, it took 10 seconds and that way we can confirm that the first char of the password start with j.
SELECT CASE WHEN (username=’administrator’ AND substring(password, 1, 1) = ‘j’) THEN pg_sleep(10) ELSE pg_sleep(0) END as result from accounts;
Next we will now check for 2nd char of the password.
SELECT CASE WHEN (username=’administrator’ AND substring(password, 2, 1) = ‘a’) THEN pg_sleep(10) ELSE pg_sleep(0) END as result from accounts;
It took more than 10 seconds So 2nd char is a.
Next is to guess the 3rd char. If its not the right char they query will run right away.
So its no r.
Next char, is s so now lets see how much time it will take to query this.
It took 11 seconds so the 3rd one is S.
And so on, so we have to keep querying each alphabet 1 to 40 depends on how long your password is. Which you fond from the previous query, where you guessed the length of the password.
So in this case are going to use the Portswigger application > intruder option, which automates the above process of query and help us find the password char by char.
Lab is resolved now.
Scroll Unlock 