The confirmation
Now that the cloud server is properly configured to record incoming requests over DNS, we can go back to our earlier example and leverage the cloud to confirm the vulnerability out-of-band.
You'll recall that the vulnerable application allows unsanitized input to be executed on the SQL server via the name
parameter. The challenge we sometimes face, as attackers, is the difficulty in confirming the existence of this type of vulnerability when the application does not behave differently based on the input given. Sometimes, we may even be lucky enough to examine source code, in which case we'd just skip right to exploiting the vulnerability.
The WAITFOR DELAY
payload will work for most blind SQL injections, as the majority of application views depend on the result from SQL queries that the controller executes.
SELECT * FROM users WHERE user = 'Dade';WAITFOR DELAY '0:0:20' --';
In the surprisingly common scenario where the vulnerable query is executed asynchronously and the page...