1.7 Lab: Blind SQL injection with conditional responses | 2023

The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned, and no error messages are displayed. But, it includes a message, if the query returns any rows. The db contains a table called users, with columns called username and password | Karthikeyan Nagaraj

Description

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Pre-Requisite

Find the type of database using the below SQL Injection cheat sheet

SQL injection cheat sheet | Web Security Academy

Solution

1. Capture the request of the homepage and send it to the repeater
2. we know that there is a tracking cookie where the vulnerability lies
3. Inject the query at the end of TrackingId like below TrackingId=YOUR_TRACKING_ID’ and (select username from users where username=’administrator’ and length(password)>5)=’administrator’ — ;
4. The above query implies selecting the TrackingId and username(where the username is ‘administrator’ and the length of the user’s password should be greater than 5) —
5. If it returns “welcome message”, the query condition is true else, false
6. we have to find the length of the admin password by incrementing the length of the password value from 5 to 30( assuming that, the password is not more than 30 characters)
7. The Above process can be automated by sending this request to the intruder → adding 5 as payload position → Setting numbers payload type → setting 5 as From value, 30 as To value and 1 as Step value → start attack → we will get the length of the password where the length of the payload changes first.
8. Now, we know that the password length is 20 from step 7. So we have to find the letters of the password
9. The below query will substitute 'a'for the 1st letter of the password, if that is true then we will receive a “welcome message" else, the letter is wrong‘ and (select substring(password,1,1) from users where username=’administrator’)=’a’--
10. we have to keep changing the letters from ‘a’ to ‘z’ and ‘0’ to ‘9’ to find the actual letters of the password. So we have to automate this thing using Intruder.
11. Send the request to Intruder → from substring add the first 1 as payload position and ‘a’ as the second payload position →Choose Cluster Bomb
12. → Select Numbers as payload type for payload 1 → give 1 as From value, 20 as To value and 1 as Step value
13. → Select Bruteforcer as payload type for payload 2 → give 1 as value for min length and max length and start the attack
14. After the Attack is Completed, click the Filter, type “welcome” and click Apply. This will filter out the Valid letters that are present in the password
15. Click on the Payload1 Column to Sort out the letters starting from 1st value.
16. Note down the letters in that order and use that 20-letter password to log in to the administrator account to Solve the lab

Solution 2 — Portswigger

1. Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie. For simplicity, let's say the original value of the cookie is TrackingId=xyz.
2. Modify the TrackingId cookie, changing it to:
   TrackingId=xyz' AND '1'='1
Verify that the “Welcome back” message appears in the response.
3. Now change it to:
   TrackingId=xyz' AND '1'='2
Verify that the “Welcome back” message does not appear in the response. This demonstrates how you can test a single boolean condition and infer the result.
4. Now change it to:
   TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a
Verify that the condition is true, confirming that there is a table called users.
5. Now change it to:
   TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a
Verify that the condition is true, confirming that there is a user called administrator.
6. The next step is to determine how many characters are in the password of the administrator user. To do this, change the value to:
   TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
This condition should be true, confirming that the password is greater than 1 character in length.
7. Send a series of follow-up values to test different password lengths. Send:
   TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a
Then send:
   TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>3)='a
And so on. You can do this manually using Burp Repeater, since the length is likely to be short. When the condition stops being true (i.e. when the “Welcome back” message disappears), you have determined the length of the password, which is in fact 20 characters long.
8. After determining the length of the password, the next step is to test the character at each position to determine its value. This involves a much larger number of requests, so you need to use Burp Intruder. Send the request you are working on to Burp Intruder, using the context menu.
9. In the Positions tab of Burp Intruder, change the value of the cookie to:
   TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a
This uses the SUBSTRING() function to extract a single character from the password, and test it against a specific value. Our attack will cycle through each position and possible value, testing each one in turn.
10. Place payload position markers around the final a character in the cookie value. To do this, select just the a, and click the "Add §" button. You should then see the following as the cookie value (note the payload position markers):
    TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='§a§
11. To test the character at each position, you’ll need to send suitable payloads in the payload position that you’ve defined. You can assume that the password contains only lowercase alphanumeric characters. Go to the Payloads tab, check that “Simple list” is selected, and under Payload settings add the payloads in the range a — z and 0–9. You can select these easily using the “Add from list” drop-down.
12. To be able to tell when the correct character was submitted, you’ll need to grep each response for the expression “Welcome back”. To do this, go to the Settings tab, and the “Grep — Match” section. Clear any existing entries in the list, and then add the value “Welcome back”.
13. Launch the attack by clicking the “Start attack” button or selecting “Start attack” from the Intruder menu.
14. Review the attack results to find the value of the character at the first position. You should see a column in the results called “Welcome back”. One of the rows should have a tick in this column. The payload showing for that row is the value of the character at the first position.
15. Now, you simply need to re-run the attack for each of the other character positions in the password, to determine their value. To do this, go back to the main Burp window, and the Positions tab of Burp Intruder, and change the specified offset from 1 to 2. You should then see the following as the cookie value:
    TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a
16. Launch the modified attack, review the results, and note the character at the second offset.
17. Continue this process testing offset 3, 4, and so on, until you have the whole password.
18. In the browser, click “My account” to open the login page. Use the password to log in as the administrator user.

If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng

Thank you for Reading!

Happy Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials