Blind SQL Injection with conditional responses | PortSwigger

In this video, I demonstrate how to exploit a Blind SQL Injection vulnerability to retrieve the administrator's password from a website that tracks users with cookies. The lab doesn't provide any error messages or direct query results, but it responds with a "Welcome back" message when the query returns any results. Key steps shown in the video: Intercepting the Request: I use Burp Suite to intercept the request containing the TrackingId cookie. This cookie is manipulated to perform the SQL Injection. Testing for Blind SQL Injection: By using the payload 'AND '1'='1', I check for a true condition and confirm that the response includes the "Welcome back" message. I then test for a false condition with 'AND '1'='2' to see the difference. Confirming the Users Table: I use the payload 'AND (SELECT 'a' FROM users LIMIT 1)='a' to confirm the presence of the users table. Finding the Administrator: I modify the payload to 'AND (SELECT 'a' FROM users WHERE username='administrator')='a' to verify the existence of the administrator user. Determining Password Length: To determine the length of the administrator's password, I iteratively test the condition LENGTH(password) "greater than symbol" X using different lengths. Extracting the Password: Using Burp Intruder, I exploit the SUBSTRING() function to extract each character of the password, testing it against possible characters (a-z, 0-9). The attack is repeated for each character position in the password until it is fully recovered. Finally, I log in as the administrator using the obtained password. This demonstration shows how to perform a Blind SQL Injection attack by leveraging conditional responses and Burp Suite tools, ultimately gaining access to sensitive user data. #SQLInjection #BlindSQLInjection #BurpSuite #Pentesting #Cybersecurity