SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.
Blind SQL injection means that the application does not return the results of the SQL query or the details of any database errors within its responses. It can still be exploited to access unauthorized data, but the techniques involved are generally more complicated and difficult to perform.
Blind SQL injection in a live government website in Europe.
As part of the initial recon, ran a directory brute force.
The file data.txt was found.
It seems to be a log file. A URL of a form is found.
The form was submitted to see the response in proxy.
On adding a single quote in the name parameter threw an insert error.
Another single quote in that parameter makes the error vanish. The injection occurs in a string. A single quote broke the string and another single quote balanced it.
Adding a sleep() function will create an time delay.
Finally, we can try changing value of sleep() function to confirm the injection.
Now we could confirm injection by the relative time delay.
SQL injection is a very critical issue, so reported it without any further exploitation.
The primary cause of this issue was the unused pages found in the production server. We should remove any unused pages. It is simpler to remove them rather than spending resources to maintain.
But in general we could address SQL injection by using parameterized queries (also known as prepared statements) instead of string concatenation within the query.
Reference : SQL Injection Prevention Cheat Sheet
These are the few tools that were used.
Resources and references