SCENARIO

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

INTRODUCTION

This lab explores a blind SQL injection vulnerability using time delays, where no visible output or error messages are returned by the application. Instead, the attacker relies on response timing to infer whether injected conditions are true or false. By triggering deliberate delays in the database query, it becomes possible to extract sensitive information — such as the administrator's password — one character at a time.

SOLUTION

1. Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie. Modify the TrackingId cookie, changing it to: TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END —

Realize it took 10 seconds for the application to respond.

2. Now change it to: TrackingId=kuW9I7aiFAeXiuT'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END — Verify that the application responds immediately with no time delay. This demonstrates how you can test a single boolean condition and infer the result.

3. Now change it to: TrackingId=kuW9I7aiFAeXiuT'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users — Verify that the condition is true, confirming that there is a user called administrator.

4. The next step is to determine how many characters are in the password of the administrator user. To do this, change the value to: TrackingId=kuW9I7aiFAeXiuT'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users — This condition should be true, confirming that the password is greater than 1 character in length

5. Send a series of follow-up values to test different password lengths. Send:TrackingId=kuW9I7aiFAeXiuT'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>3)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users —

6. After determining the length of the password, the next step is to test the character at each position to determine its value. This involves a much larger number of requests, so you need to use Burp Intruder. Send the request you are working on to Burp Intruder, using the context menu.

7. In Burp Intruder, change the value of the cookie to:

TrackingId=kuW9I7aiFAeXiuT'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users — This uses the SUBSTRING() function to extract a single character from the password, and test it against a specific value. Our attack will cycle through each position and possible value, testing each one in turn

To test the character at each position, you'll need to send suitable payloads in the payload position that you've defined. You can assume that the password contains only lower case alphanumeric characters. In the Payloads side panel, check that Simple list is selected, and under Payload configuration add the payloads in the range a — z and 0–9

8. To be able to tell when the correct character was submitted, you'll need to monitor the time taken for the application to respond to each request. For this process to be as reliable as possible, you need to configure the Intruder attack to issue requests in a single thread. To do this, click the Resource pool tab to open the Resource pool side panel and add the attack to a resource pool with the Maximum concurrent requests set to 1. Launch the attack by clicking the Start attack button.

9. Review the attack results to find the value of the character at the first position. You should see a column in the results called Response received. This will generally contain a small number, representing the number of milliseconds the application took to respond. One of the rows should have a larger number in this column, in the region of 10,000 milliseconds. The payload showing for that row is the value of the character at the first position.

10. Create a single Intruder attack with two payload positions and the cluster bomb attack type, and work through all permutations of offsets and character values.

11. This is the password retrieved: ynxdczd68tacaxtkv9dq

12. In the browser, click My account to open the login page. Use the password to log in as the administrator user.

CONCLUSION

This lab demonstrates how time-based techniques can be used to exploit blind SQL injection when no other feedback is available. By observing response delays, it was possible to determine the password length and reconstruct it character by character. This highlights the severity of SQL injection vulnerabilities and the importance of securing all user inputs, even when no data is directly exposed