gunitinug Posted May 25, 2019 Share Posted May 25, 2019 Hi. I have to pen test altoro mutual site(https://demo.testfire.net) for a project. The site uses DERBY DB. I have discovered that its login page is vulnerable to blind boolean sqli. I have discovered that there is a table called user under schemaname of APP (ie. APP.user). I typed in Username: admin' and (select count(user) from app.accounts where user like '%a%')>0-- Password: anything This tests whether there is a user that contains a letter 'a'. If the test succeeds altoro mutual site logs in. Otherwise it says "Login Failed: We're sorry, but this username or password was not found in our system. Please try again." I've tried the same test but this time iterated from a-zA-Z. But it never succeeds in logging in which tells me that maybe Username is not English alphabet. But this is unlikely. So my problem is I don't know why LIKE operator doesn't return a result that is expected. I also tried Username: admin' and (select count(user) from app.accounts where user not like '%a%')>0-- Password: anything And this time every iteration of a-zA-Z logs in. So this result also tells me Username does not contain a letter. Lastly this one works (it logs in) Username: admin' and (select count(user) from app.accounts where user not like '%')>0-- Password: anything Can you help me why LIKE operator fails when user LIKE '%a%' and so on? THX Quote Link to comment Share on other sites More sharing options...
gunitinug Posted May 25, 2019 Author Share Posted May 25, 2019 Correction. This logs in admin' and (select count(user) from app.accounts where user not like '%')=0-- But not admin' and (select count(user) from app.accounts where user not like '%')>0-- Quote Link to comment Share on other sites More sharing options...
gunitinug Posted May 25, 2019 Author Share Posted May 25, 2019 Quote ignore the last post Quote Link to comment Share on other sites More sharing options...
gunitinug Posted May 25, 2019 Author Share Posted May 25, 2019 correction. it should be APP.contacts table with user column. Quote Link to comment Share on other sites More sharing options...
gunitinug Posted May 25, 2019 Author Share Posted May 25, 2019 sorry APP.accounts table with user column Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.