Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Solving Lab: Blind SQL injection with out-of-band data exfiltration without Burp Pro

Corvin | Last updated: May 29, 2020 01:13PM UTC

Hi, idk if this is the right place to ask these kind of questions, so I apologize in advance for that. I'm trying to solve "Lab: Blind SQL injection with out-of-band data exfiltration" (https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration), but I'm not owning a professional version of burp suite to use burp collab because I cannot afford it at the moment. I'm wondering if this lab is solvable without it ? I tried to work around this issue, so I used my domain to add a bunch of NS records which point to the IP of a server I wrote, that captures UDP packages coming on port 53 (DNS). The server simply dumps the DNS query and responds with a spoofed package that always returns 127.0.0.1 with a TTL of 60 seconds as an answer. I tested it and it seems to work. Initiating a request from a browser, from a bunch of different networks are hitting my "DNS server". The problem comes when I'm injecting the payload that should solve the lab. It simply does not work. So I'm wondering if there's some sort of rule that blocks DNS queries to unknown domain names ? Thank you !

Uthman, PortSwigger Agent | Last updated: May 29, 2020 03:56PM UTC

Unfortunately, the lab requires the use of Burp Pro since you need to interact with the public collaborator server. If you have a university/work email address, you can apply for a free 30-day trial here: https://portswigger.net/requestfreetrial/pro.

Corvin | Last updated: May 29, 2020 04:02PM UTC

Thank you for your response sir

Corvin | Last updated: May 29, 2020 04:02PM UTC

Thank you for your response sir

ffaadd | Last updated: Dec 22, 2020 02:39AM UTC

Can you please tag the labs that needs Burp Pro with a "Burp Pro is mandatory" or "unsolvable without Burp Pro" Flag, so no-one tries hours to get a DNS request out to requestbin.net, for example? It is completely ok for me that you prefer your tool and build courses that are only solvable with this tool. The sentence "The easiest and most reliable way to use out-of-band techniques is using Burp Collaborator." implies that this course is also solvable without Burp Pro (but not so easy).

Uthman, PortSwigger Agent | Last updated: Dec 22, 2020 09:03AM UTC

Hi, Thanks for the feedback. The Collaborator is a feature of Burp Professional and is greyed out in Burp Community so we assume that users are aware that this is a Pro-only feature.

ffaadd | Last updated: Dec 22, 2020 05:23PM UTC

Hi, Thanks for your fast reply, but I think you misunderstood me. It's clear to me and everyone that the collaborator is a pro feature of Burp. My point was, that you offer a really nice and free lab to get security interested people on the track and then frustrate them because you didn't make clear that this challenge works *only* with burp pro and the collaborator. There are free tools outside that would work as well (like requestbin.net) and you can do the same out-of-band attack with them. As mentioned in my previous post im fine with the fact that you make labs that are only solvable with your (paid) tool but my request was to mark these labs, so it is clear that it's not solvable with other tools. To break it down: The Lab: "Blind SQL injection with out-of-band data exfiltration" did not mention, that Burp pro is mandatory. It only says that it is "the easiest way" not "the only way" (what you told us here in your first post). Thanks, ffaadd

ffaadd | Last updated: Dec 22, 2020 06:00PM UTC

Ooh. I saw the note "You must use the public Burp Collaborator server (burpcollaborator.net)." Was that note there yesterday? If so, then It was too late for me to link this note to "Burp Pro required" in my brain. Sorry. got It...

Uthman, PortSwigger Agent | Last updated: Dec 23, 2020 08:56AM UTC

Hi, No worries. Yes, that has always been in the lab description. Please do let us know if you have any further feedback.

arjun | Last updated: Apr 04, 2023 12:08PM UTC

Well what do i say i perform manual sniper attack for blind sql injection which can also be done by cluster bomb dont know it much more faster than sniper.My, only suggestion is atleast try to free some paid tools if user dont have money but solve labs and have atleast a level of profesionall !!!

Adam | Last updated: Mar 04, 2024 03:25AM UTC

Ah. This is unfortunate. Didn't know it would end up with unsolvable paywall labs. Is it possible to get interactsh white listed for this lab? https://app.interactsh.com/ It's free to use and a pretty common tool from what I've seen online. Regards, Adam

Ben, PortSwigger Agent | Last updated: Mar 04, 2024 09:06AM UTC

Hi Adam, We have no plans to open up this (and similar labs) to be able to use external tools.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.