< Back





9. Blind SQL injection with conditional responses

The target contains a SQL injection vulnerability in its cookies. It provides a TrackingId cookie to
keep track of visitors for analytics purposes. If a valid, recent cookie is provided to the site,
the site says "Welcome back!". We aren't able to use UNION attacks to retrieve data from the
database, but we can use this response to find the administrator password.

Using the SUBSTRING function, we use binary search to find each character of the administrator
password. This lab only uses lowercase letters and numbers in the password, so our range of
characters to search through is:

0123456789abcdefghijklmnopqrstuvwxyz

We binary search each character of the password, one by one, until we have the full password. Then
we login as the administrator.


Solution