SQL Injection - Lab #12 - Blind SQL injection with conditional errors

After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload:
' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password, 1, 1)='a')|| '

RanaKhalil

Noticed that there were a couple people who were wondering why the solution for this lab uses concatenation:

Doesn't matter what technique you use, this lab simply introduces a new technique that uses string concatenation instead of an equality check. You could just as easily do this lab using previous techniques.

Eg.
Instead of:
'||(SELECT CASE WHEN (1=2) THEN to_char(1/0) ELSE '' END FROM dual)||'
We could have:
' AND (SELECT CASE WHEN (1=2) THEN to_char(1/0) ELSE '' END FROM dual)=''--

Concatenation simply leads to a more simple solution in this case, so it is quicker to use.

Zephyr-tghu

Excellent video.

My eWPT cert is in 4 weeks, so can't thank you enough for your videos & effort of quality educationally content you put out.


Method I found I'm able to learn, regardless of it being tedious ( the method, not content ), it allows retention for those struggling with the information sticking, because this stuff is hard lol but you've done us a great service:

Method:
1. Solo Attempt
2. Watch Video ( as a lecture )
3. Re-Attempt ( still without video )
4. Complete with Video ( side by side )
5. 3rd Attempt (without the video )

mih

Hi, can you please tell why did we need to use the concatenate operator in this case
and why we didn't use the comment operator to ignore the apostrophe.

mahmoudchiboub

I had hard time understanding why we still get an error while 1=1 and we have a user called administrator. Then you explained how SQL queries worked and bingo! I instantly understood! Thank you so much!!

shamanwolf

Great stuff Rana. I bought your course to support you! Thank you for your time on these videos...

marcschweiz

I did the lab before this one called "Blind SQL injection with conditional responses". I didn't have to concatenate in that lab. I am not sure why concatenation was necessary in this lab. Can you explain?

BigHeadEddie

Amazing explanation of why the query for finding if the admin user exists works. Keep it up 👆 !

xx

Hey, I have a question. Since in this case it's an Oracle database, not knowing the syntax, after having found the parameter vulnerable to injection and having made sure that it was vulnerable by seeing if it interpreted what was passed as a query, I passed everything to the sqlmap obviously specifying the injection point, is this a good thing in your opinion?

lollocanzo

Perfect, love your detailed explanations! Thank you ☺ 🙏

melisaozen

Why cant we follow the same steps here what we follow in Blind SQLi with conditional response, because the difference of conditional error and response is that there if true we get WELCOME message else NO MESSAGE but here if true NO ERROR else ERROR. TYIA

nvssairam

Thank you so much for these videos, they are easy to understand and learn!

vuongnguyenminh

nice explanations, waiting for the rest of the videos also

Abhishekn._

hi @rana Khali, I do watched your basic video, in previous video we used conditional responses and now we are using different one., can we use old method as well?

Arunkumar

It will be really helpful if you could make a video to get a clear idea on DOM xss

masicre

Great work, your videos are really helpful.
I just didn't understand why you decided to concatenate? Is this an obvious move for Blind SQLi?

iluzdd

08:30 i didn't understand why it doesn't work without rownum and why we used the rownum=1

feritkardal

i barely understood the logic of this kind of sql injection in Oracle ...but what i would like to know if there is the same trigerreing errors for sql database ?

hm

Salamu Alaykoum Rana how are you?
what an amazing walk through you make it as it was so easy!
Unbelievable skills.
Thank you by the way.
Do you recommend learning SQL?
I don't have much SQL Knowledge.
Thank you again.

starchild_

Hey Rana, Thanks for that amazing video explanation!
Can you please explain how the function of 'TO_CHAR' is manifested on the query?

eladbruchim