Forum Thread: Blind SQL Injection

After a scan with Acunetix I found a vulnerability "Blind SQL Injection".

Image via
Image via

Now what should I do?

6 Responses

That depends what choice you wanna go? manually or using a tool.

First of all, you should make sure that your recon tool did not accidentally generate a false positive, as many do just by nature. Browse the server until you find a url ending in something like "id=12357". To see if it is vulnerable, type in an apostrophe (This thing: ') right after the number. If the page shows an error, or perhaps some elements of the page go missing, it is a vulnerable page!

Site admin OTW actually wrote a tutorial on using a tool in Kali Linux called "sqlmap" to uncover database files. You can find that here.

If you have permission to test...sqlmap can do alot of things. But I would advise you to understand what sql injection actually does, and how. Many things can result from sql injection like shell access.

Thank you all.It states that the site is a friend of mine and I am one staffer.

We are just checking the security of our site. I already tried on sqlMap to enumerate the database with the string saddle scan:


Image via

but no results, other suggestions?

Sorry for my English, I use a translator.

bueno espero hablas espanol, y ya que tienes esa peticion echa desde burp puedes guardar el resultado en un archivo txt y probar con sqlmap -r, ya si no te sale te puedo ayudar si gustas

Share Your Thoughts

  • Hot
  • Active