Showing posts from October, 2016

SQLi and Blind SQLi in search field

This continues from my earlier posts on SQLi in search fields:

I recently found one sqli which was both in nature- generic sqli and blind sqli. As I have already said, search boxes are always an unusual suspect and we tend to generally overlook them.

But the field was not vulnerable to simple queries like ' or ''=', would have missed it if would not have tried similar to ' or ''='' or ''='. I fired Burp intruder and got a couple of more payloads which worked. Still I am not able to understand the difference between these two queries, why they yield different results.

Anyways, the sqli got exploited and the app displayed all the records from the table.

Now turn for blind sqli:
The same field was also vulnerable to blind sqli. This became more important as the automated tools such as SQLmap, failed due to some errors or the apps being unstable. So it is purely man…