Nytro Posted March 8, 2016 Report Posted March 8, 2016 Data Extraction via String Concatenation in a Blind SQL Injection Vulnerability March 7, 2016 Posted By Carlos Muñoz Day One: In Which The Heavens Part, But Only Slightly A few weeks ago while performing a web application test for $CLIENT, I happened to run into search functionality. As one of the very first standard tests I inserted a single quote ' into the search field and clicked the search button. The SQL error message that was returned was the stuff dreams are made of (ie: a lot of info, slightly vague, not everything there, but enough in that moment to make you really, really believe). After a few quick tests to see if anything easy could be obtained (nope, no such luck), and confirming that I wouldn't be negatively impacting $CLIENT's systems if I did so, I turned it over to automated tools and went about testing other parts of the application. Time passed, and a few other issues were discovered and documented (it doesn't exist if no one else can reproduce it from your official description), and I went back to view the progress of automated tools, eager to see the keys to the kingdom laid down before me. Nothing. Okay, maybe I made a mistake or two setting the automated tools up? Investigations disproved that line of thinking, as the recorded request/response pairs showed the attacks were being properly sent with all the appropriate data. It is probably my imagination, but I think I can hear $CLIENT's webapp laughing at me. Hmmmm . . . this may be a bit more complex than I had hoped. Articol complet: https://www.trustwave.com/Resources/SpiderLabs-Blog/Data-Extraction-via-String-Concatenation-in-a-Blind-SQL-Injection-Vulnerability/ 1 Quote
