Hi.
I have to pen test altoro mutual site(https://demo.testfire.net) for a project. The site uses DERBY DB.
I have discovered that its login page is vulnerable to blind boolean sqli.
I have discovered that there is a table called user under schemaname of APP (ie. APP.user).
I typed in
Username: admin' and (select count(user) from app.accounts where user like '%a%')>0--
Password: anything
This tests whether there is a user that contains a letter 'a'. If the test succeeds altoro mutual site logs in. Otherwise it says "Login Failed: We're sorry, but this username or password was not found in our system. Please try again."
I've tried the same test but this time iterated from a-zA-Z. But it never succeeds in logging in which tells me that maybe Username is not English alphabet. But this is unlikely.
So my problem is I don't know why LIKE operator doesn't return a result that is expected.
I also tried
Username: admin' and (select count(user) from app.accounts where user not like '%a%')>0--
Password: anything
And this time every iteration of a-zA-Z logs in. So this result also tells me Username does not contain a letter.
Lastly this one works (it logs in)
Username: admin' and (select count(user) from app.accounts where user not like '%')>0--
Password: anything
Can you help me why LIKE operator fails when user LIKE '%a%' and so on?
THX
