Blind SQL Injection in Oracle Database: Exfiltrating Data with Burp Collaborator — SQL Injection Labs

[Write-up] Blind SQL Injection with Out-of-Band Data Exfiltration.

Overview

The Blind SQL Injection with Out-of-Band Data Exfiltration lab is a security exercise conducted in the PortSwigger environment. This lab demonstrates how a blind SQL injection vulnerability can be exploited to extract sensitive data using out-of-band (OOB) techniques. Since the application does not provide direct feedback from SQL queries, attackers must rely on external interactions to retrieve data.

Blind SQL Injection In Oracle Database with Out-of-Band Data Exfiltration

Disclaimer:
The techniques described in this document are intended solely for ethical use within the controlled environment of PortSwigger Labs for educational and training purposes. Unauthorized use of these methods outside approved environments is strictly prohibited, as it is illegal, unethical, and may lead to severe consequences.

It is crucial to act responsibly, comply with all applicable laws, and adhere to established ethical guidelines. Any activity that exploits security vulnerabilities or compromises the safety, privacy, or integrity of others is strictly forbidden.

Table of Contents

1. Summary of the Vulnerability
2. Steps to Reproduce & Proof of Concept (POC)
3. Impact
4. Mitigation

Summary of the Vulnerability

This lab contains a blind SQL injection vulnerability within an application that uses a tracking cookie for analytics. The cookie value is embedded in a SQL query that is executed asynchronously, meaning it does not directly affect the application’s response.

However, by exploiting this vulnerability, attackers can trigger out-of-band (OOB) interactions with an external domain to extract data. The database contains a users table with username and password columns. The goal is to exploit this blind SQL injection to retrieve the administrator’s password and log in as the administrator.

Hint:
Useful SQL injection payloads can be found in the PortSwigger SQL Injection Cheat Sheet.

Steps to Reproduce & Proof of Concept (POC)

1. Open the Lab

2. Visit one of the available product categories. In this example, we will use the Accessories category:

https://<your-lab-id>.web-security-academy.net/filter?category=Accessories

3. Open Burp Suite and go to the HTTP History tab. Right-click the request and select Send to Repeater for further testing

4. The application stores user credentials in a users table with two key columns:

• username
• password

Since we already know the structure of the database, our goal is to extract the administrator’s password using an out-of-band (OOB) SQL Injection payload.

5. You can leverage PortSwigger’s SQL Injection Cheat Sheet for payload ideas. The following Oracle SQL Injection payload will attempt to trigger an external request to Burp Collaborator, allowing us to exfiltrate data:

6. First, test the payload by extracting the password for the Wiener user and sending it to Burp Collaborator:

7. Once the Wiener password retrieval is successful, modify the payload to extract the administrator’s password:

8. Use the extracted credentials to log in to the application as the administrator

9. Once logged in, you have successfully completed the lab

10. If you want to further test the exploit, try retrieving the database name using this query:

Impact

• Potential data breaches by leaking confidential database information
• The vulnerability could be weaponized for further exploitation, such as privilege escalation or lateral movement within the system

Mitigation

• Use Parameterized Queries or Prepared Statements
• https://www.linkedin.com/advice/1/what-best-way-limit-user-access-data-database-na0wc

Source: PortSwigger Labs

Thank you for taking the time to read and follow this tutorial.

Latest Cybersecurity News, Vulnerabilities, and Technical Analysis