Summary by MiguelSegoviaGil
A Blind SQL Injection vulnerability was identified on the NASA JPL Photojournal website https://photojournal.jpl.nasa.gov/new, specifically within the sort parameter of the search option. By injecting conditional SQL expressions, it is possible to infer data from the backend database through time-based response delays.
An attacker can exploit this vulnerability by modifying the sort parameter to include malicious SQL payloads. The use of the BENCHMARK() function in conjunction with conditional logic demonstrates the vulnerability, as the server response is significantly delayed only when the injected condition evaluates to true.
This behavior confirms the ability to extract sensitive information from the database without check the body response, just looking at the response time, a classic symptom of time-blind SQL injection.