Exploiting a Blind SQLi

In Chapter 6, Exploitation – Low Hanging Fruits, we exploited an error-based SQL Injection and now we will identify and exploit a Blind SQL Injection using Burp Suite's Intruder as our main tool.

Getting ready

We will need our browser to use Burp Suite as a proxy for this recipe.

How to do it...

  1. Browse to http://192.168.56.102/WebGoat and log in with webgoat as both the username and password.
  2. Click on Start WebGoat to go to WebGoat's main page.
  3. Go to Injection Flaws | Blind Numeric SQL Injection.
  4. The page says that the goal of the exercise is to find the value of a given field in a given row. We will do things a little differently but let's first see how it works: Leave 101 as the account number and click Go!.
  5. Now try with 1011 ...

Get Kali Linux Web Penetration Testing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial