webPromedium

Совсем слепая инъекция (Completely Blind Injection)

bug-makers

Task: Node.js API injects user input into SQL WHERE clause, but returns identical response for both success and error — no boolean oracle. Solution: time-based blind SQLi using SQLite IIF() with recursive CTE as delay mechanism, binary search extraction.

$ ls tags/ techniques/

sqlite sqli nodejs express blind_sqli time_based recursive_cte iif

binary_search_extractiontime_based_blind_sqlirecursive_cte_delaysqlite_iif_conditionalsqlite_injection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Слепая инъекция (Blind Injection)— bug-makers
[forensics][Pro]Украденный флаг (Stolen flag)— bug-makers
[web][Pro]Покажи, если сможешь (Show me if you can)— bug-makers
[web][Pro]ПОСТимся (Posting/Fasting)— hackerlab
[web][Pro]Просто найди его— hackerlab