3

I was testing an web application which is written in Ruby, Rails framework, when I stumbled on the following request which was sent. I modified the request and now it displays me a part of the query of an SQL. I am not familiar with SQL in Ruby, so I was wondering if the following is vulnerable to SQLI.

POST REQUEST: 

PUT /campaigns/**_42789_** HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 31
Cookie: cokies here 
Connection: keep-alive

{"email_campaign":{"id":42789}}

RESPONSE:

{"message":"Couldn't find Promotion with [WHERE `promotions`.`id` = ? AND (user_id IN (2170,2313) OR master_user_id = 2313)]"}

Is SQLI possible here?

techraf
  • 9,141
  • 11
  • 44
  • 62
Dhayalan Pro
  • 131
  • 2

1 Answers1

4

Probably not.

As you can see, the query uses prepared statements:

WHERE `promotions`.`id` = ?

Of course, this is only a small part of the query, user input may be inserted directly into the query in other parts of it, so you should check if the id parameter is vulnerable anyways. This may actually be the case, 2170 and 2313 for example do seem to be injected into the query directly.

But just seeing parts of a query is no indication that an SQL injection is possible. It just tells you that something went wrong when performing the query.

Of course, sending this error message to the user is a bad idea in and of itself. The average user will just be confused by the message, and an attacker gains some information about query structure - eg that it seems to use prepared statements, at least in parts -, table and column names, and possibly used software, such as the type of DBMS, etc.

tim
  • 29,018
  • 7
  • 95
  • 119