0x05 - DB Dump via Underscore Wildcards
Did you know you can dump a whole database table even without SQL injection?
The underscore _
character is a less-known payload that you can use when pentesting the search functions of an application
This is an alternative to the more common asterisk (*
) and percent sign (%
) payloads that usually get blocked by WAFs and developers.
By using a wildcard character it's possible to match and read a larger set of values which can uncover sensitive information stored on the DB table.
Note that the _
wildcard represents ONLY A SINGLE CHARACTER so you need to add multiple underscore wildcards to dump all the info
How to do it
Find a search function within the app and intercept the request
Increase the results size number to max (i.e: 10.000) if needed
Replace the search string with the wildcard payload
_
Continue to increase the payload until no more values are returns (
__
,___
,____
,_____
, etc.)Note how these payloads match all values and the server ends up dumping the whole table