Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Blind SQL injection with conditional responses - on WebSecurity Academy

Mandalorian | Last updated: Sep 15, 2020 02:40AM UTC

The page on this lab always showing "Welcome back!" whether there is correct SQLi query or not even without using SQLi on the TrackingId cookies. It's hard to find the answer for this lab. Thank you. Best regards, Mandalorian22X

Ben, PortSwigger Agent | Last updated: Sep 15, 2020 01:05PM UTC

Hi, Are you able to provide details of the steps that you have taken so far to try and solve this? In addition, have you viewed the following video solution to see if that provides you with some additional hints: https://www.youtube.com/watch?v=-d-qkc-hKX8

Paul | Last updated: Mar 12, 2021 12:56AM UTC

Hi Portswigger, I've managed to find the additional hint you mentioned through my own research but why are the injection commands used in the video so different to what is written in your cheatsheet or even in the description page https://portswigger.net/web-security/sql-injection/blind. I get that these resources cannot contain the entirety of what SQL Injection is or what is Blind SQL Injection but if the labs are reflective of the lessons and the lessons contain the key takeaway, should it not at least be the same key consistently? This is reflected in many of the labs leading up to this point, I thought it should be made obvious before I continue hitting my head against a wall... I'm not ungrateful for the free resources, I'm asking for the information to be true please.

Ben, PortSwigger Agent | Last updated: Mar 15, 2021 11:22AM UTC

Hi Paul, Which part of the lab are you referring to?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.