When I first learned about SQL injections it sounded all pretty easy. Just put in some SQL code and you will get the output of your query ( and possible the data that was intended to be shown too ).
But as I found out today sometimes it isn’t that easy, especially when using a Blind SQL injection exploit.
Ten minutes after I first tried to hack the site I already found the way in, but it took me more than a day to get data out of it. It turned out the ASP page expected a numeric result set out of the query and based on that queried some more ( non-numeric) data. So when I did get an integer out of the database, the ASP looked it up in to the database and I turned up with legit data.
But then after I had fooled around a bit, I got an error message which returned a value out of the table I had intended to query! What I accidental had done was converting a integer to a varchar and vice versa so the SQL would generate an error, and return the value of the field in the error message.
Knowing this, I just wrote a small python script that filtered all field data out of the error messages.
<edit> This method is great as proof for your customer, but not to really dump the DB with it…. It had run all night and in the morning I had 1 MB of data pulled out of the database </edit>
Tags: linkedin