stackoom
  简体   繁体   中英

Possible SQL Injection with redirect to webpage if injected query is correct

 原文  2020-01-18 00:51:48       sql/ sql-injection/ sqlmap

Question

Under the authorization of my friend, I am testing his website against potential vulnerabilities.

I was trying to find if I was able to inject a SQL query into a POST request parameter hi' or 1=1 -- :

query=hi'%20or%201%3d1%20--

I found that the document prints out:

<div class="error">index job,query: syntax error, unexpected '-' near '-'</div>

while with ' or 0=0 -- I get:

<div class="error">index job,query: syntax error, unexpected '|' near ' | 0=0) --'</div>

does this mean that it's vulnerable to SQL Injection? If yes, how can I make it print server system data (like information, etc.)? By the way, if the string is correct it gets redirected to another webpage (I think that's why SQLMap tells me the parameter is not SQL-injectable).

EDIT: I can see the query works just if the URL gets redirected, but I won't see the query output. If the URL doesn't get redirected, I can see these SQL query errors. I'm trying to see how to get the output and do something more useful to attack the website, or even make it detectable from sqlmap .

The current command I'm using is sqlmap -r thework.txt -p query --dbs . thework.txt contains the full valid POST request.

2 answers

solution1
 0  2020-01-18 01:24:57

Wish I had 50 reps so I could put this in comments. But yes the site is most likely vulnerable. To be sure ask your friend to allow you to run an initial exploit.

sqlmap.py -u < Target Address> --dbs

If you successfully pull up the data base you have found the vulnerability or at least have confirmed there is a vulnerability.

solution2
 0  2020-01-19 15:34:29

SQL injection isn't only about malicious attacks that read data or change data on your site.

The majority of SQL injections are simply errors like the one you saw. They might not even be malicious. What if you have an SQL injection vulnerability that simply causes an error when someone wants to register their last name as "O'Reilly"? The user is well-intentioned, but your site breaks when they use their real name.

That's reason enough to detect and fix cases of SQL injection in your code.

You didn't post your code that builds the SQL query from this input, so what you have shown is only circumstantial evidence. But I do infer that you are copying a GET input into your SQL query without proper escaping or the preferred method, using a query parameter.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is SQL injection possible with this query? What pattern to check on an SQL query for possible injection? Is an SQL injection actually possible by adding a second query? Why this sql is correct? (sql injection) Possible sql injection JAVA - Possible SQL Injection Magento possible SQL injection? Is a SQL Injection possible in this code? SQL Injection and possible attacks SQL Double Query Injection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM