Partial Boolean Based SQLi

less than 1 minute read

Brief Description

While taking a look at analytics in Synack of a host target, there were different kind of submissions regarding SQLi which made me curious to see if I could replicate such a flaw in an unreported web server. After a while of testing and trying some generic SQLi payloads, the flaw was discovered but unfortunately, I did not manage to escalate it to a full SQLi which brought the flaw to a partial SQLi.

Reconnaissance Steps

After doing some recon and discovering alive web servers, when mapping the web application, there was an endpoint called /LoginAction_sessionLogin.action which had the parameter userSession. When looking at the HTTP response, it provided some generic strings such as {"result:7"}.

picture

Therefore, after inserting a generic SQLi payload such as ' or '1'='1 in the userSession parameter, a different response from the web server was given which disclosed current user SessionID, username, and permissions. The payload was used as the following:

http://domain.vi/LoginAction_sessionLogin.action?userSession=' or '1'='1

picture

After reporting the flaw, the vulnerability was accepted as partial SQLi and three stars due to good report writing.

Takeaways

In this case, the flaw was a generic SQLi that can be found by using payloads from PayloadsAllTheThings. Also, mapping the web application and being aware of certain parameters can be helpful. Nothing special really, for things like this don’t forget to check zseano’s methodology.

Updated:

Leave a comment