Black & White Path

May 24, 2026 · Information Security

AI‑Driven DeepSeek XML Error Injection Bypasses WAF, Dumps 19 DBs in 2 Hours

In a production‑environment penetration test, the researcher leveraged DeepSeek V4 Pro via a custom Claude Code bridge to craft an XML‑parsing‑error‑based Boolean blind SQL injection that evaded WAF keyword filters, allowing character‑by‑character extraction of all 19 database names within two hours at a cost of only ¥1.4.