Learning Web-Sec - Day 5 - PortSwigger Blind SQL Injection Labs

Blind SQL Injection with Conditional Errors

Follow me for more such content as it helps me stay motivated for writing such detailed walk-through.

Lab 12 — Blind SQL Injection With Conditional Errors(Link)

Level : Apprentice

Description Of Lab:

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Just like the previous lab, here we’ll be playing with the requests which are made by the browser. We’re Lifestyle category page, and here we’ll be trying to analyze the responses of the edited requests.

Original Request:

Edited Request 1:

Response 1: Got an “Internal Server Error”(ISE) message.

Edited Request 2:

Response 2: Same, ISE.

Edited Request 3:

Response 3: Interesting, Not an ISE this time, From this we can conclude that the database used is by Oracle as the ISE vanished when we used the dual table.

Edited Request 4:

Response 4: What does this 200 status code tell us? It tells that every element inside the round bracket is true. Which means, there is a table named users which has a username named administrator. Good enough.

Now Let’s try to find ways we can extract password of the administrator user. We can try something like the last lab. For that we’ll have to see how to get substrings. It may not be that everywhere the function SUBSTRING would work. Like in this case. So it is necessary to look for what function is used for which DBMS, In this case Oracle And the function name is SUBSTR.

Usage of SUBSTR function.

Here I tried things for extracting the length of the password but had no luck(I Mean, I know it’s not about the luck, It’s probably about the syntax).

And then I tried 1 for the length of the password but didn’t attach the screenshot as the responses was same : 200 OK. But the password can’t have 2 different lengths, right? Anyways, moving on. Let’s try some more editing.

I finally Gave Up, But then I went through their SQL injection cheatsheet as mentioned in the hint. It had the skeleton payload for SQLi with conditional errors. Which looked something like

SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1/0) ELSE NULL END FROM dual

Editing the payload and trying different things. It started working out.

Edited skeleton payload 1: if 1=2 then TO_CHAR(1/0) which won’t give an error.

And as we thought, It didn’t throw an error. Now changing that to make it throw an error.

Edited skeleton payload 2: if 1=1 then TO_CHAR(1/0) which would give an error.

And it did. Now we know how to make it work.

Le’s try some more request editing.

Yayyyy, We finally got it.

Fuzzed alphabets and numbers to get the first character of the password.

And testing a bit, I Found a way for extracting the length of the password as you can see below. And the length of the password is 20. Why is this necessary? We now won’t have to make more number requests(unnecessary ones).

Let’s now start Fuzzing the possible places of characters of password string with possible characters.

We have started getting our password, I mean the administrator’s password.

We now have our password for the administrator account, Log in using this password and BOOM! We now have the highest authority.

And Congratulations, You solved the lab!