Skip to content

[SECURITY] Undetectable Time-Base Injection #1

Open
raminfp opened this issue Jan 15, 2019 · 1 comment
Open

[SECURITY] Undetectable Time-Base Injection #1

raminfp opened this issue Jan 15, 2019 · 1 comment

Comments

@raminfp
Copy link

raminfp commented Jan 15, 2019

Hi,

libinection-rs unable to detect time base sql inection,

1 - Payload 1'=sleep(10)='1

let (is_sqli, fingerprint) = sqli("1'=sleep(10)='1").unwrap();
assert!(is_sqli); // false
assert_eq!("s&sos", fingerprint);

2- Payloads used to determine database version '=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1

let (is_sqli, fingerprint) = sqli("'=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1").unwrap();
assert!(is_sqli); // false
assert_eq!("s&sos", fingerprint);

Thanks,
Ramin - kernel security engineering
Best regards,

@yaa110
Copy link
Contributor

yaa110 commented Jan 15, 2019

Thank you for the report. Please note that this repository is a bindings to libinjection.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants