This continues from my earlier posts on SQLi in search fields:
http://nileshkumar83.blogspot.sg/2012/10/sql-injection-in-search-field.html
I recently found one sqli which was both in nature- generic sqli and blind sqli. As I have already said, search boxes are always an unusual suspect and we tend to generally overlook them.
But the field was not vulnerable to simple queries like ' or ''=', would have missed it if would not have tried similar to ' or ''='' or ''='. I fired Burp intruder and got a couple of more payloads which worked. Still I am not able to understand the difference between these two queries, why they yield different results.
Anyways, the sqli got exploited and the app displayed all the records from the table.
Now turn for blind sqli:
The same field was also vulnerable to blind sqli. This became more important as the automated tools such as SQLmap, failed due to some errors or the apps being unstable. So it is purely manual efforts to extract some information about the DB.
The following query greatly helped:
param= ' or ascii(substring('sqlquery',1,1))>/=ASCII value of characters or ''='
A true result for the query will return the page with some records. Here the sqlquery can be replaced with any query which can provide information about DB. For example,
ascii(substring((Select USER from DUAL),1,1))>47 , 47 is ascii equivalent of /. After this alphabets and numerical start.
So, one by one asking the queries based on true false conditions we were able to extract DB username, Current DB name, Hostname etc. Since this was a manual and slow effort, a few proofs like them were enough to prove that Blind SQLi is possible.
http://nileshkumar83.blogspot.sg/2012/10/sql-injection-in-search-field.html
I recently found one sqli which was both in nature- generic sqli and blind sqli. As I have already said, search boxes are always an unusual suspect and we tend to generally overlook them.
But the field was not vulnerable to simple queries like ' or ''=', would have missed it if would not have tried similar to ' or ''='' or ''='. I fired Burp intruder and got a couple of more payloads which worked. Still I am not able to understand the difference between these two queries, why they yield different results.
Anyways, the sqli got exploited and the app displayed all the records from the table.
Now turn for blind sqli:
The same field was also vulnerable to blind sqli. This became more important as the automated tools such as SQLmap, failed due to some errors or the apps being unstable. So it is purely manual efforts to extract some information about the DB.
The following query greatly helped:
param= ' or ascii(substring('sqlquery',1,1))>/=ASCII value of characters or ''='
A true result for the query will return the page with some records. Here the sqlquery can be replaced with any query which can provide information about DB. For example,
ascii(substring((Select USER from DUAL),1,1))>47 , 47 is ascii equivalent of /. After this alphabets and numerical start.
So, one by one asking the queries based on true false conditions we were able to extract DB username, Current DB name, Hostname etc. Since this was a manual and slow effort, a few proofs like them were enough to prove that Blind SQLi is possible.
Comments