Skip to main content

Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Illustration of Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator
Patryk Bogdan

Introduction – application enumeration

As security auditors, we daily encounter solutions whose exact structure or logic is unknown to us. Therefore, one of the first and fundamental steps in conducting a security audit is the process of gathering information about the solution being tested. In this case, the story concerns a web application.

While enumerating available resources in the tested application using the ffuf tool, we managed to locate the /panel/ directory. Further attempts to identify the contents of this directory revealed the presence of a download_file.php file, which returned a blank page in the browser. A simple attempt to provide a basic parameter in the form of an HTTP GET id revealed that the application successfully processed it, returning the difference in the response, as demonstrated below.

  • Example HTTP request:

Further analysis – locating the Blind SQL Injection vulnerability

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Oct 2025 14:39:09 GMT
Content-Type: directory
Connection: keep-alive
Content-Disposition: attachment; filename="test"
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 0

In short: Blind SQL Injection doesn’t return any direct database content to the attacker nor display SQL errors. Based on the application’s response, we can only determine whether the query is TRUE or FALSE. Therefore, through trial and error and repeated queries, the attack could proceed as follows:

Other Insights

Illustration of How "simple" math can crash your app. Support for exponential number format leads to Denial of Service.

How "simple" math can crash your app. Support for exponential number format leads to Denial of Service.

Kamil Szczurowski

During one of the audits, I noticed that some application accepted numbers in the exponential format (for example 5e10), however, all the fields were strongly typed – I couldn’t set any of the fields to a number higher than the Integer maximum value. Nevertheless, I kept that fact in my mind and continued to check other numerical fields with vast numbers that would exceed the integer limit. After some time, I finally found a field that did accept a number higher than integer, float or double, which meant that the variable type was BigInteger. Finding such variable type and a possibility to use exponential number format created a new vector for an attack – if application allows conducting any arithmetic equation, there is a chance to conduct a Denial of Service (DoS) attack.

READ article
Illustration of Breaking the TUI: From Client Quirks to Dual Local Privilege Escalation on AIX

Breaking the TUI: From Client Quirks to Dual Local Privilege Escalation on AIX

Wiktor Szymanik

In a recent security assessment, I stumbled upon an interesting setup that, at first glance, looked like just another terminal emulator driving a TUI application. Further investigation led to an exploit that chained multiple steps and fully compromised the tested host. Before we dive into the chain itself, I'll briefly explain a few terms and concepts - important context for the rest of the article.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us