A pentester discovered a critical SQL injection vulnerability in a forgotten legacy subdomain during an authorized engagement. The vulnerability resided in the 404 error handler, which directly concatenated the request URI into an INSERT statement without sanitization. Automated tools like SQLMap and Ghauri failed to detect it because they rely on SELECT/WHERE-based payloads. Manual exploitation using EXTRACTVALUE() with XPath error-based injection and multi-row INSERT syntax allowed full database enumeration across 70+ tables, including admin credentials and payment records. The database ran as root, amplifying the impact. Key lessons include securing legacy infrastructure, using prepared statements, disabling verbose error output in production, and applying least-privilege database users.
Table of contents
When legacy infrastructure becomes your best friend in a pentestGet Eduardo F’s stories in your inboxConclusionSort: