Exploiting a Blind SQLi
In Chapter 6, Exploitation – Low Hanging Fruits, we exploited an error-based SQL Injection and now we will identify and exploit a Blind SQL Injection using Burp Suite's Intruder as our main tool.
We will need our browser to use Burp Suite as a proxy for this recipe.
How to do it...
- Browse to
http://192.168.56.102/WebGoatand log in with
webgoatas both the username and password.
- Click on Start WebGoat to go to WebGoat's main page.
- Go to Injection Flaws | Blind Numeric SQL Injection.
- The page says that the goal of the exercise is to find the value of a given field in a given row. We will do things a little differently but let's first see how it works: Leave
101as the account number and click Go!.
- Now try with