The case of an unusual $10k worth content-based Blind SQLi in a Private Program - Andmp | A blog about infosec, bug hunting and more!

"Good artists copy; great artists steal."

Just another web hacking and vulnerability research blog that details how I use existing knowledge and old ways to discover new vulns ;)



Post Top Ad

Sunday 31 March 2019

The case of an unusual $10k worth content-based Blind SQLi in a Private Program

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. 

Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.
Example URL:
sends the following query to the database:
SELECT title, description, body FROM items WHERE ID = 2
The attacker may then try to inject a query that returns 'false': and 1=2
Now the SQL query should looks like this:
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true': and 1=1
If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.
Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination

(From Owasp)


Bummer, did you notice something? Title seemed dope? Couldn't resist looking at it once? Sorry to spoil your excitement mate. (Sed lyf you know!) Anyway, keep reading.

Wtf? Just copy-pasted content? 

By the way, did you forget what day it is? (That depends on your timezone though)

Pro Tip: Learn to distinguish clickbaits from legit ones. You 're still young at it and just another noob, much like me.


Finally, it makes sense. Right, it does. Just look up your calendar if you still didn't!

TODAY IS THE FIRST DAY OF APRIL! So, 10k figure makes sense I guess, first day of April (1) and 4th month of the year in succession (4 zeros follow).

Anyways, here's a good link to cheer you up! Btw, do you have a similar $10k writeup, do share with me on Twitter ;)

Read more about Blind SQLi here,

And here we go! Don't get fooled by clickbaits and last but not the least, (a meme stolen from the internet πŸ˜†),

Alright, if it disappointed you then you are not alone. Who doesn't want $10k after all? If you read till the end, my clickbait experiment was successful. 

Thanks for participating in my April Fool's day clickbait experiment. Another important thing, don't forget to let me know how you felt about it, after reading all this, come on, do say some good words in the comment box or, on Twitter! 


Let me know what you felt after reading the article!

Post Bottom Ad