Post by Synack Red Team

Dead-end injection points aren't dead ends if you know where to look. In our latest Exploits Explained, Synack Red Team researcher Ozgur Alp walks through a fully blind SQL injection buried inside a PostgreSQL ORDER BY clause, where boolean chaining, time-based techniques, and UNION attacks were all off the table. His solution? Recognize that regex functions trigger errors PostgreSQL doesn't catch during query planning, isolate them inside a subquery so they only fire on the false branch of a CASE statement, and use the error/success difference as a boolean oracle to extract data character by character. Check out the full post to learn more 👉 https://lnkd.in/gGQeY8RW