A common scenario
Imagine that the application http://vuln.app.internal/user.aspx?name=Dade
is vulnerable to a SQL injection attack on the name
parameter. Traditional payloads and polyglots do not seem to affect the application's response. Perhaps database error messages are disabled and the name
value is not processed synchronously by the application.
Somewhere on the backend Microsoft SQL (MS SQL) server, the following query is executed:
SELECT * FROM users WHERE user = 'Dade';
A simple single-quote value for name
would produce a SQL error and we'd be in business, but in this case, the error messages are suppressed, so from a client perspective, we'd have no idea something went wrong. Taking it a step further, we can force the application to delay the response by a significant amount of time to confirm the vulnerability:
SELECT * FROM users WHERE user = 'Dade';WAITFOR DELAY '0:0:20' --';
This payload injects a 20 second...