Portswigger
  • Portswigger
  • Server-Side Request Forgery
    • Server-Side Request Forgery (SSRF)
  • SSRF with filter bypass via open redirection vulnerability
  • Blind SSRF with out-of-band detection
  • Cross-Site Scripting
    • Cross-Site Scripting (XSS)
  • Reflected XSS into a JS string with angle brackets and double&single quotes HTML-encoded escape
  • XSS into a template literal w/ angle brackets, single, double quotes, backslash & backticks Escaped
  • Authentication
    • Authentication
  • Username enumeration via subtly different responses
  • 2FA broken logic
  • Username enumeration via response timing
  • Username enumeration via account lock
  • Password reset poisoning via middleware
  • Path Traversal
    • Path Traversal
  • File path traversal, traversal sequences stripped with superfluous URL-decode
  • File path traversal, traversal sequences blocked with absolute path bypass
  • Business Logic Vulnerabilities
    • Business Logic Vulnerabilities
  • Insufficient workflow validation
  • Inconsistent handling of exceptional input
  • Server-Side Template Injection
    • Server-Side Template Injection
  • Basic server-side template injection
  • Basic server-side template injection (code context)
  • SQL Injection
    • SQL Injection
    • Blind SQL injection with conditional responses
  • SQL injection UNION attack, retrieving data from other tables
  • SQL injection attack, listing the database contents on non-Oracle databases
  • API Testing
    • API Testing
  • Exploiting an API endpoint using documentation
  • Exploiting a mass assignment vulnerability
  • Finding and exploiting an unused API endpoint
  • JWT ATTACK
    • JWT Attack
    • JWT authentication bypass via unverified signature
  • JWT authentication bypass via jku header injection
  • JWT authentication bypass via flawed signature verification
  • HTTP HOST HEADER ATTACKS
    • HTTP Host header attacks
  • Basic password reset poisoning
  • Host header authentication bypass
  • No SQL Injection
    • NoSQL Injection
  • Detecting NoSQL injection
  • Exploiting NoSQL operator injection to bypass authentication
  • Exploiting NoSQL injection to extract data
  • FILE UPLOAD VULNERABILITIES
    • File Upload Vulnerabilities
  • Web shell upload via obfuscated file extension
  • OAuth Authentication
    • OAuth Authentication
  • OAuth account hijacking via redirect_uri
  • ACCESS CONTROL VULNERABILITIES
    • Access Control Vulnerabilities
  • User ID controlled by request parameter with data leakage in redirect
  • User ID controlled by request parameter with password disclosure
  • User role controlled by request parameter
  • User role can be modified in user profile
  • URL-based access control can be circumvented
  • INFORMATION DISCLOSURE VULNERABILITIES
    • Information Disclosure Vulnerabilities
  • Information disclosure in version control history
  • XML external entity injection
    • XML External Entity (XXE) Injection
  • Exploiting XXE using external entities to retrieve files
  • Exploiting blind XXE to retrieve data via error messages
  • Blind XXE with out-of-band interaction
  • Blind XXE with out-of-band interaction via XML parameter entities
  • OS COMMAND INJECTION
    • OS Command Injection
  • Blind OS command injection with out-of-band data exfiltration
  • PROTOTYPE POLLUTION
    • Prototype Pollution
  • Privilege escalation via server-side prototype pollution
  • WEB CACHE POISONING
    • Web Cache Poisoning
  • Web cache poisoning via an unkeyed query parameter
Powered by GitBook
On this page
  1. SQL Injection

Blind SQL injection with conditional responses

Link : https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses

PreviousSQL InjectionNextSQL injection UNION attack, retrieving data from other tables

Last updated 2 months ago

Description:

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and no error messages are displayed. But the application includes a Welcome back message in the page if the query returns any rows.

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

To solve the lab, log in as the administrator user.

Proof of concept:

  1. Cek seluruh fitur pada aplikasi target

  2. Pada target terdapat cookie dengan parameter TrackingId

  3. Coba untuk menginputkan payload basic SQL injection seperti single-quote (') . Jika sudah, analisa response yang diberikan setelah diinputkan payload SQL Injection. Terlihat sebelum, dilakukan injeksi, response mengandung pesan "Welcome back!" namun setelah dilakukan injeksi, string tersebut tidak terlihat pada response. Ini dapat dijadikan sebuah indikasi awal bahwa cookie tersebut rentan terhadap SQL injection

  4. Untuk lebih memastikannya, coba untuk menginjeksikan kembali payload basic SQL injection yang lainnya. Sebagai contoh disini menggunakan payload 'AND '1'='1 yang artinya bernilai true .Jadi, apabila payload tersebut diinjeksikan atau diinputkan atau disisipkan pada cookie parameter TrackingId maka akan bernilai true (benar) atau normal atau response yang diberikan oleh sistem akan mengembalikan response ketika kondisi cookie valid

  5. Dan benar saja seperti yang dapat dilihat pada gambar diatas, karena payload yang diinputkan bernilai true maka response kembali kesemula (normal) atau pesan “Welcome back!” kembali tersedia. Untuk memastikan kembali, saya mencoba menginjeksikan kembali payload. Kali ini saya melakukan injeksi basic payload yang bernilai false yaitu ‘AND ‘1’=’2

  6. Seperti yang dapat dilihat pada gambar diatas, ketika payload yang diinputkan bernilai false maka pesan “Welcome back!” tidak muncul. Maka dapat disimpulkan cookie parameter TrackingId rentan terhadap SQL Injection

  7. Selanjutnya adalah melakukan eksploitation kerentanan SQL injection tersebut dengan menggunakan script python seperti gambar dibawah ini

  8. Jika sudah, jalankan script python tersebut menggunakan perintah python <<filename>>.py