Adding Payload to URL-based SQL Injection: Seeking Guidance and Best Practices
I recently performed a vulnerability assessment on a system using ZAP (Zed Attack Proxy) and received a finding indicating a likely SQL injection vulnerability.
The query time is controllable using parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [561] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [1,144] milliseconds, when the original unmodified query with value [] took [567] milliseconds.
The vulnerability report provided the following query as an example:
http://xx.xxx.xx.xxx/?-d+allow_url_include%3D1+-d+auto_prepend_file%3Dphp%3A%2F%2Finput=case+randomblob%2810000000%29+when+not+null+then+1+else+1+end+
Based on my understanding, this query appears to be a test to identify the vulnerability without an actual payload. However, I would like to confirm whether this query is the payload itself or if an additional payload needs to be added to exploit the vulnerability or get into the db.
Could someone with experience in SQL injection clarify if this query is the actual payload or if there is any modification required to exploit the vulnerability effectively? Additionally, any insights on the purpose and behavior of the query would be greatly appreciated.
