Good evening all,

I'm in the process of attempting to exploit a SQLi vulnerability detected by Nessus scanner on a web application I've downloaded. Before getting flamed, I just want to say that I've spent countless hours doing tons of research and studied many training materials but I've never run across this situation. In this particular case, the SQLi vulnerability is actually in the HTTP Headers (Referrer). However, what's weird to me is that a single quote (') is the ONLY thing that triggers an MySQL_num_rows() error. Tried many blind sqli techniques and even some time-based from learning resources, but it seems like nothing has an effect other than putting a single quote (which only generates a mysql_numrows() error), or even if I add 3, 5, etc.

Any advice on what I'm doing wrong / missing, please let me know. I appreciate any feedback.