Altoro Mutual site

[gunitinug]

Hi.

I have to pen test altoro mutual site(https://demo.testfire.net) for a project. The site uses DERBY DB.

I have discovered that its login page is vulnerable to blind boolean sqli.

I have discovered that there is a table called user under schemaname of APP (ie. APP.user).

I typed in

Username: admin' and (select count(user) from app.accounts where user like '%a%')>0--
Password: anything

This tests whether there is a user that contains a letter 'a'. If the test succeeds altoro mutual site logs in. Otherwise it says "Login Failed: We're sorry, but this username or password was not found in our system. Please try again."

I've tried the same test but this time iterated from a-zA-Z. But it never succeeds in logging in which tells me that maybe Username is not English alphabet. But this is unlikely.

So my problem is I don't know why LIKE operator doesn't return a result that is expected.

I also tried

Username: admin' and (select count(user) from app.accounts where user not like '%a%')>0--
Password: anything

And this time every iteration of a-zA-Z logs in. So this result also tells me Username does not contain a letter.

Lastly this one works (it logs in)

Username: admin' and (select count(user) from app.accounts where user not like '%')>0--
Password: anything

Can you help me why LIKE operator fails when user LIKE '%a%' and so on?

THX

[gunitinug]

Correction. This logs in

admin' and (select count(user) from app.accounts where user not like '%')=0--

But not

admin' and (select count(user) from app.accounts where user not like '%')>0--

[gunitinug]

Quote

ignore the last post

 

[gunitinug]

correction. it should be APP.contacts table with user column.

[gunitinug]

sorry APP.accounts table with user column