hi all :)
i'm doing a application pentest on java applet for one of my client.
i suspect there's a blind sql injection(via POST) in this application since when i try to search for andy (just an example), the result will show andy's profile.
but if i try to search for andy' , another person's profile will appear or sometimes just a blank profile.
tried
andy' or 1='1 => TRUE
andy' or 1='2 => FALSE
yerp!! the possibility is high.
then i tried a little trick using string concatenation just like what i read before in pentestmonkey and ISC diary.
an'||dy = FALSE
an'||'dy = TRUE
an'||d||'y = TRUE
so i'm quite confident there's a sqli vulnerability in this application.
now the problem is
1 - cant use any automated tools since the application in frmservlet.
already try to hook/sniff using wireshark/burp/webscarap/etc..and the data is encrypted well.
2 - there is a limit length of chars that can be used for this vulnerable form/parameter..
some of them can be used up to 30chars.
some of them 40
and the most that i can found is this long
1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 (90 chars isnt it??)
i need at least to show another POC at least to get the current_user or banner version to show to the client. :/
haha.
already tried some of tricks posted by slavik
http://www.slaviks-blog.com/2009/10/13/blind-sql-injection-in-oracle/
and
by Bojan
https://isc.sans.edu/diary.html?storyid=6409
these are the query i used
1'||(select case when substr(user,1,1)='S' then dbms_pipe.receive_message('kuku',10) else ' end||'1
1'||(select case when substr(user,1,1)='S' then '1' else 'X' end from (select user from dual))||'1
none of them works.maybe there are some mistakes with my query or maybe this application is not vulnerable at all :(
anyone can give me an idea,please do so :)
there's still 2-3 days for me to testing this application
