A writeup on exploiting SQL injection in INSERT queries where commas are forbidden by application logic, using CASE WHEN statements with LIKE operators and CAST functions as a payload bypass technique. The author demonstrates time-based blind SQL injection without commas and provides automated exploitation code.
A SQL injection vulnerability was discovered in the login endpoint of bootcamp.nutanix.com where unsanitized user input in the email and password JSON parameters allowed extraction of database version information via error-based SQLi techniques. The vulnerability was exploited using simple quote injection and extractvalue() functions to trigger MySQL errors revealing system details.
Security researcher Josip Franjković discovered four SQL injection vulnerabilities across multiple Nokia domains (www4.nokia.de, a PHP site, and nokia.es subdomain), including blind SQL injection via User-Agent headers and time-based injection attacks, which Nokia's incident response team patched rapidly in April 2013. The researcher detailed advanced exploitation techniques such as using UNION-based subqueries with CASE statements to extract data from INSERT queries and bypass error-based detection.
Step-by-step exploitation of multiple SQL injection vulnerabilities in Oculus' website, demonstrating blind SQL injection techniques with whitespace and comma filtering bypass to extract admin session credentials. The attacker chained five SQL injections together, using creative MySQL syntax (comment blocks, OFFSET instead of comma-based LIMIT) to gain administrator access without prepared statements.
MySQL clients can be abused via the LOAD DATA LOCAL INFILE feature to exfiltrate arbitrary files from the client machine by setting up a fake MySQL server that bypasses authentication and sends malicious payloads. This exploitation technique works because MySQL clients trust server-sent commands after authentication, allowing attackers to read sensitive files like /etc/hosts from compromised systems.