Page 105 - Hands-On Bug Hunting for Penetration Testers
P. 105
SQL, Code Injection, and Scanners Chapter 5
URL: http://webscantest.com/datastore/search_by_id.php
PAYLOAD: sleep(16000/1000);
METHODOLOGY: Vulnerability detected with Arachni scanner, v. 1.5.1-0.5.12
INSTRUCTIONS TO REPRODUCE:
1. Navigate to "/search_by_id.php"
2. Enter the SQLi payload into the search form.
3. Submit the query.
4. The time-based SQLi code will cause a delay in the SQL thread execution.
ATTACK SCENARIO:
With a time-based SQL injection vulnerability to exploit, a malicious actor
could use the time-delay combined with SQL expressions to enumerate
sensitive informationbauthentication credentials, payment data, DB
information, and more.
Summary
This chapter covered the fundamentals of SQL and NoSQL injection, using TRMNBQ to test a
target host URL, the value of Google Dorks for both application-targeted and general
vulnerability analysis, and reporting a SQLi bug properly, from detection to submission.
In the next chapter, we'll discuss cross-site request forgery (CSRF), how to create (and
automate) CSRF PoCs, where CSRF occurs, validating a CSRF vulnerability, strategies for
reporting the bug, and more.
Questions
1. What are blind SQLi, error-based SQLi, and time-based SQLi?
2. What are some of the dangers of trying to detect SQLi vulnerabilities using
aggressive string inputs?
3. What's a Google dork? How did it get its name?
4. What command-line options are particularly useful for the BSBDIOJ CLI?
5. How do you generate a report from an Arachni Framework Report ("'3) file?
6. What are some injection vectors in MongoDB?
7. What's the value of being able to make a SQL thread sleep?
[ 90 ]
