Data Extraction via String Concatenation in a Blind SQL Injection Vulnerability

[Nytro]

Data Extraction via String Concatenation in a Blind SQL Injection Vulnerability

• March 7, 2016
• Posted By Carlos Muñoz

Day One: In Which The Heavens Part, But Only Slightly

A few weeks ago while performing a web application test for $CLIENT, I happened to run into search functionality. As one of the very first standard tests I inserted a single quote ' into the search field and clicked the search button.

The SQL error message that was returned was the stuff dreams are made of (ie: a lot of info, slightly vague, not everything there, but enough in that moment to make you really, really believe). After a few quick tests to see if anything easy could be obtained (nope, no such luck), and confirming that I wouldn't be negatively impacting $CLIENT's systems if I did so, I turned it over to automated tools and went about testing other parts of the application.

Time passed, and a few other issues were discovered and documented (it doesn't exist if no one else can reproduce it from your official description), and I went back to view the progress of automated tools, eager to see the keys to the kingdom laid down before me.

 

Nothing.

Okay, maybe I made a mistake or two setting the automated tools up? Investigations disproved that line of thinking, as the recorded request/response pairs showed the attacks were being properly sent with all the appropriate data.

It is probably my imagination, but I think I can hear $CLIENT's webapp laughing at me.

Hmmmm . . . this may be a bit more complex than I had hoped.

 

Articol complet: 

https://www.trustwave.com/Resources/SpiderLabs-Blog/Data-Extraction-via-String-Concatenation-in-a-Blind-SQL-Injection-Vulnerability/