[grantcox]

The only successful SQL injection attack I've encountered in the wild was interesting, because the injection point had no visible output. But by injecting timing calls (eg "SLEEP()") and appropriate conditionals, the attacker was able to extract a few bits of information each request. Their script executed some tens of thousands of requests, and they managed to extract all the table names, and start to extract data from our "users" table.

In retrospect such an attack is obvious, and presumably tools like metasploit make them trivial to execute. But previously I'd had the idea that SQL injection was usually "literal raw data output".

[dan_mctree]

Another frequent type of blind SQL injection is when the server gives an error or a slightly different output on some queries. The server code may for example travel down a different path if the query doesn't output any results and then shows an error. Even if the error doesn't show the contents of the query, it can also be used to slowly extract data through generated yes/no questions.

In one case I managed a successful blind attack for a client because their server showed an English site for valid queries returning the right results, and a German one for unexpected queries.

[altharaz]

You should take a look at https://sqlmap.org : this tool runs SQL attacks with « raw data output » as you say, but also without outputs (Blind SQL injections).

[dspillett]

I'm getting SSL errors on that link: it is presenting GitHub's wildcard certificate which obviously doesn't match.

The site is accessible as plain http (or https if you skip the warnings, of course).

[jokr004]

I thought that was sketchy too but it occurred to me that they probably are hosting this site with github but are using their own domain name.

sqlmap.org turns out to me an A record for an IP address owned by github.

[dspillett]

> it occurred to me that they probably are hosting this site with github but are using their own domain name

That is exactly what they are doing, and in itself this is not at all a problem.

But presumably the link worked for the original poster, so either there is a dynamic DNS problem (we are being sent to an address that serves the .github.com certificate an not the "right" one but he was sent somewhere that does have a certificate for that name) or* someone is resigning content and his machine is set to trust their CA certificate. This latter cause could be normal/expected (his company having a MiTM policy for regulatory monitoring reasons) or his machine could be cracked by an external entity.

[graystevens]

SQLmap is a great tool for automated scanning and exploiting of SQLi vulnerabilities. Like everything though, it can miss the occasional exploit, where someone with the expertise might be better suited, but generally speaking it’s an awesome place to start.

It also has sane defaults, which means scriptkiddies chancing their luck with it should be easily spotted in your access.log, or depending on your environment a WAF/IDS/IPS should block/detect quickly.

[mmaunder]

This is a 'blind' sql injection attack. Tools like sqlmap make finding and exploiting sql injection very easy. sqlmap includes excellent support for blind sqli exploitation.

SQL injection is very common in our space which is WordPress. (I'm the Wordfence founder) There are over 40,000 plugins for WP and around 25k developers and writing PHP with a sqli vulnerability is really easy to do accidentally so it is super common.

[technion]

I recommend having a read of this CTF writeup[0], and the Albatar framework that was used to solve it (cannot be done with sqlmap, I tried). It's incredible how far people can go with SQLi.

[0] https://github.com/ctfs/write-ups-2016/tree/master/nullcon-h...

[lphnull]

I have this friend who runs this forum out of self-made software- not a prefabbed PHP-bb, but home made software. Nonetheless, he had thousands of members who all shared the same particular hobby.

One time I decided to test his inputs, and surprisingly- one of those inputs contained a vulnerability in that it allowed you to post ANY text script or characters without sanitization. I quickly hobbled together a cookie-stealing script and proved how serious this hack was by stealing the password of an alternate dummy account just by visiting my poisoned user/info page.

I told my friend about it, and it took him a surprising long amount of time to actually get around to fixing it.

[im3w1l]

How did you notice something was amiss?