0

I'm black-box pen testing a colleague's website for common vulnerabilities (mainly concerned with OWASP's top 10).

I've found a SQL injection vulnerability in a form since the use of special characters in one of the form field's values returns errors. The error specifies that an incorrect number of parameters were provided to some internal function - I suspect, given the purpose of the form, that some particularly complex query sits behind it.

I'm struggling to get any response other than this error. I've tried a browser tool to profile the query hoping it would paint a picture of what the query looked like ready for demonstration of how it can be exploited but it failed to identify a vulnerability at all.

How can I get a clearer picture of what the query looks like? Or is this entirely subjective and specific to this case?

An example answer I'd be after is a way of injecting SQL that, no matter where it sits, can be relied upon to test for vulnerability.

Note: If needs be I can simply outline the fact that I've found a potential vector, but I'd like to be able to explain the extent to which it may be exploited.

  • 1
    What makes you think it's an SQL injection issue rather than an error in application logic? One possible scenario I can envisage from what you say is that the code detects bad characters but then fails in the function that is supposed to display an error message, – Alfred Armstrong Nov 30 '16 at 16:39
  • Well, to be more specific, it's doing a product search - and it mentions a GetProducts function in the error message. So I'm fairly certain it's to do with whatever action it's trying to perform with my search criteria. You make a great point though, I've never considered it part of the app logic. I'm sure it isn't here, but I didn't consider that. –  Nov 30 '16 at 16:57
  • Could you [edit] your question to include the error messages you get? That may be helpful to figure out what is going on. – Anders Jun 29 '18 at 07:32

1 Answers1

2

I've found a SQL injection vulnerability in a form since the use of special characters in one of the form field's values returns errors.

This is an incorrect assumption. Errors could indicate a poorly developed application which may or may not include a SQL Injection. To say that you have found SQLi at this stage is premature.

The error specifies that an incorrect number of parameters were provided to some internal function.

I would strongly recommend searching for the error message and using it to fingerprint the application. If it is a raw error message, you could find out the app/web-server/DB component that generates it.

I've tried a browser tool to profile the query hoping it would paint a picture of what the query looked like ready for demonstration of how it can be exploited but it failed to identify a vulnerability at all.

SQL Injection tools are now fairly mature. If the tool doesn't find anything, it is likely not a SQL Injection, or it is possible you are not using it correctly. Are the payloads generated doing what you want them to do (are they probing the form correctly)? What responses does the tool show?

OWASP's guide is a great place to start looking at for a manual testing methodology. Depending on what you observe, some kind of "blind" exploration is likely required, perhaps you should look closely at UNION, boolean, or time-based detection techniques. Alternatively, throw sqlmap or havij at it, if this is within the scope of the pentest.

Jedi
  • 3,906
  • 2
  • 24
  • 42