Web application is vulnerable to SQL Injection and return the file name
in SQL query output. Here, an attacker can inject SQL Injection query
which will return custom file name as SQL query output. Now, web
application call file download functionality and pass the file name
returned by SQL query to the function. File download function will check
for file in below mentioned locations:
Local file system
Remote file system (SMB)
Attacker need to craft an SQL Injection query which return remote file
system SMB path where Responder tool is listening. file path should be
In my case, Responder machine IP is 192.168.56.106. So path will be:
Web application pass the Responder listening machine SMB path as file to
file download function.
File download function will make request to Responder listening machine
to access the file box.txt and here comes the Responder in action.
Responder will force web serve to authenticate itself to access the file
and web server forward the authentication details to Responder.
To read the complete article see: