This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

To solve the lab, exploit the SQL injection vulnerability to cause a 10-second delay.

Pre-Requisite

Find the type of database using the below SQL Injection cheat sheet

Solution

1. Capture the request of the homepage and send it to the repeater. we know that there is a tracking cookie where the vulnerability lies.
2. Add the below query at the end of TrackingId value and send the request to solve the lab ‘|| (SELECT PG_SLEEP(10)) --
3. This will make the application response delayed for 10 seconds.
4. If you don’t know what the type of database is, then you can try any of the below commands one by one to verify.

Oracle        -   dbms_pipe.receive_message(('a'),10)
Microsoft     -   WAITFOR DELAY '0:0:10'
PostgreSQL    -   SELECT pg_sleep(10)
MySQL         -   SELECT SLEEP(10)