Originally posted on Reiners' Weblog:
This post was voted as 2nd best in the Top 10 Web Hacking Techniques of 2011 poll.
Last month I found a weird behaviour in a Java application during a blackbox pentest. The value of a parameter id was reflected to the HTTP response and I was testing for a potential SQLi vulnerability with the following requests (urldecoded) and responses:
Ok that looked promising. SQLi here we go:
|?id=abc’+(select 1 from dual)+’def|
Hmm, comments and subselect does not work? Maybe table name missing in MS Access? Defaults did not work. What comment types are available?
No luck, so I started from the beginning:
Wooty? That was really interesting. No DBMS would return null for…
View original 1,573 more words