Lab: Blind SQL injection with conditional errors 💉
Hey, cyber security folks! This blog will focus on Blind SQL injection with conditional errors based on the lab on Web Security Academy using Burp Suit — SQL learning path.
Vulnerability:
Tracking cookie 🍪
Aim:
- Find out the password for the user administrator
2. Log in as administrator
Steps:
- Use Burp Suit to modify and intercept the tracking cookie to confirm a SQL injection is possible.
In modifying the cookie the aim is to determine whether a syntax error has a noticeable effect on the page’s response. We will attempt this with a single quote TrackingId=xyz’
and then with TrackingId=xyz’ ’
A syntax error [500 Internal Server Error] was received with a single quotation when compared to the double quotation therefore the error is having a noticeable effect on the page’s response
Confirm the page responds with an error by constructing a subquery using valid SQL syntax. The hint states that the lab is using the Oracle database. Use that to construct a valid SQL syntax.
TrackingId=xyz’||(SELECT ‘ ’ FROM dual)||’
No error was received with the above SQL syntax and...
an error was received with the above SQL syntax when an invalid syntax was used therefore the database is processing the SQL syntax and hence the database is vulnerable to SQL injection.
2. Verify that a user table exists with the following SQL.
TrackingId=xyz’||(SELECT ‘ ’ FROM users WHERE ROWNUM = 1)||’
No error message was returned therefore the database has a user table.
3. Verify if a user called username is in the table.
Payload 1: Trigger an error based on the truth of the condition using the CASE statement
Payload 2: Include a divide by zero expression which causes an error.
Conditions: Eg. 1=1 and 1=2.
TrackingId=xyz’||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE ‘ ’ END FROM users WHERE username=’administrator’)||’
Remember that the condition is true when an error message is received ❗️ ❗️
To better understand the CASE statement note that the FROM statement would be read first and then the SELECT and after THEN.
So in the above CASE statement, it would check if there was a username called the administrator and because it is true it would go to the condition 1=1 which is always true but the divide by zero payloads is where the error message would be generated.
It has been therefore verified that there is an administrator username being used in the user’s table.
4. Determine how many characters are in the administrator username.
TrackingId=xyz’||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE ‘ ’ END FROM users WHERE username=’administrator’)||’
Password for administrator exists and it is more than 1 character long. 🎊 See above
Password is not greater than 30 as an error message was not received. See above
I tried =20 and got an error therefore the password can be said to be of a length of 20.
5. Determine the administrator password.
TrackingId=xyz’||(SELECT CASE WHEN SUBSTR(password,1,1)=’a’ THEN TO_CHAR(1/0) ELSE ‘’ END FROM users WHERE username=’administrator’)||’
The first character is not ‘a’.
With the use of Burp Intruder, the characters of the administrator password and their positions can be determined with a few steps.
Right-click and select Send to Intruder -> Clear$ -> highlight a number preferably 1 in the payload and a letter a and select $Add$ and select Attack type (Cluster bomb)
Select Start Attack
All of this provided the characters with the 20 cwithracter password and their positions. The characters were identified with a 500 error column.
My session kept timing out after my attacks too so long so stay tuned for this next blog where I with the help of the community solution: https://youtu.be/_7w-KEP_K5w will script the exploit using python.
