Hi everyone, I’m Sarathlal Srl (a.k.a SRLSEC) from India. SQL injection is my favorite attack so I always try to learn about it. In the previous write-up, I explained what is SQL Injection and how to approach a target. In this simple write-up, I will describe how I was able to found three different types of SQL injection in one POST parameter. This vulnerability I found on Kerala’s online recharge website. First of all, I will leave “red colour” in the sensitive parts.
After authenticating in the application, I noticed that there’s a add shortcuts button and I came across the following request:
So let’s start to test input validation to identify sqli.
1.Error-based SQL Injection
PAYLOAD:- [‘]
I put a single quote (‘) in the mid%5B12%5D parameter, application return with MySQL error.
2.Time-based SQL Injection
PAYLOAD:- [' AND sleep(10)#]
I injected a MySQL function sleep()
IT WORKED!!! And now that the server sleeps for 10 seconds.
3.Boolean-based SQL Injection
PAYLOAD:- [1' AND 1=2#]
If adding True condition [1' AND 1=1#], Normal page returned (true response)
When I adding False condition [1' AND 1=2#], Server returned with different response (false response)
In this type of blind attack, a Boolean query causes the application to give a different response for a valid or invalid result in the system.
Impact
Server-side SQL injection leading to database access and exposure of sensitive information. Reading this information likely allows an attacker to execute remote code by stealing admin password resets and user information.
Steps to prevent SQL Injection attacks
- Validate User Inputs
- Sanitize Data By Limiting Special Characters
- Enforce Prepared Statements And Parameterization
- Actively Manage Patches And Updates
- Continuous Monitoring Of SQL Statements
HOPE YOU LIKE IT : )
