0x05 - DB Dump via Underscore Wildcards

Did you know you can dump a whole database table even without SQL injection?

The underscore _ character is a less-known payload that you can use when pentesting the search functions of an application

This is an alternative to the more common asterisk (*) and percent sign (%) payloads that usually get blocked by WAFs and developers.

By using a wildcard character it's possible to match and read a larger set of values which can uncover sensitive information stored on the DB table.

Note that the _ wildcard represents ONLY A SINGLE CHARACTER so you need to add multiple underscore wildcards to dump all the info



How to do it

  1. Find a search function within the app and intercept the request

  2. Increase the results size number to max (i.e: 10.000) if needed

  3. Replace the search string with the wildcard payload _

  4. Continue to increase the payload until no more values are returns ( __ , ___, ____, _____, etc.)

  5. Note how these payloads match all values and the server ends up dumping the whole table