Exploiting a Blind SQLi
In Chapter 6, Exploitation – Low Hanging Fruits, we exploited an error-based SQL Injection and now we will identify and exploit a Blind SQL Injection using Burp Suite's Intruder as our main tool.
Getting ready
We will need our browser to use Burp Suite as a proxy for this recipe.
How to do it...
Browse to
http://192.168.56.102/WebGoat
and log in withwebgoat
as both the username and password.Click on Start WebGoat to go to WebGoat's main page.
Go to Injection Flaws | Blind Numeric SQL Injection.
The page says that the goal of the exercise is to find the value of a given field in a given row. We will do things a little differently but let's first see how it works: Leave
101
as the account number and click Go!.Now try with
1011
.Up to now, we have seen the behavior of the application, it only tells us if the account number is valid or not.
Let's try an injection as it is looking for numbers and probably using them as integers to search. We won't use the apostrophe in this test...