In this (AJAX/JSON/JQUERY) SQLi, to find the vulnerability is little but tricky, you have focus on the out what you are getting
Because as soon you type something the webapp will start predicting it and will start showing you the result.
In this I have just typed aplhabet (i) and it’s start showing me all the name of the movies who consist the letter (i) in it.
And with (ir) only Iron Man is available, now the trick to find the SQLi vulnerability in this is we have to focus on the end result to enumerate
First let’s start finding the columns using {order by}
Using this (‘ – #) syntax we can see the result without even typing any alphabet, now to find the exact number of columns we really need to focus on the result.
Result of order by 1 and 2 is same but in order by 3 the result is different
We will do this until the result stops changing
At order by 8 the result stops changing so the number of columns are 7
Now let’s use union select to further enumerate the database
' union select 1,version(),3,4,database(),6,7 -- #
Look at the bottom of the result we can see our desired result in the list.
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments