This is a Stack Trace or Sql Injection?

Question

Yesterday I posted a question about whether I could do an SQL injection with the following error code:

httpStatus":400,"errorCode":"BAD_QUERY_PARAMETER","message":"java.lang.NumberFormatException: For input string: \"'\"","implementationDetails":"com.sun.jersey.api.ParamException$QueryParamException: java.lang.NumberFormatException: For input string: \"'\"\n\tat com.sun.jersey.server.impl.model.parameter.QueryParamInjectableProvider$QueryParamInjectable.getValue(QueryParamInjectableProvider.java:74)

The strange thing was that, I answered that I had been useful because through another payload I did, I got another error, something like:

Malformed escape pair at index 30: /app/view/products/view.html?language=EN&id=_PAYLOAD_&port=50000

But I was not able to inject the database, so, this is a stack trace type error? I would appreciate your answers ...

How is the first piece of code a SQL injection attack? Looks like a JSON output. A little lost to the context of the question. — ISMSDEV, Jul 07 '17 at 18:26
Hi, it's not JSON, the JSON output is different, and this is not. — user152754, Jul 07 '17 at 18:28
Sure does look like it. But as I say I don't know the context. Good luck — ISMSDEV, Jul 07 '17 at 18:30
What happens is that when I put a single quote in the ID parameter, I get the first error... — user152754, Jul 07 '17 at 18:32

score 1 · Answer 1 · answered Jul 07 '17 at 20:37

The output is a stack trace, and it looks like the current parameter you are testing is not vulnerable to SQL injection. It's not clear if the application is vulnerable to SQL injection or not.

A stack trace is simply a listing of where in the process's callstack an exception occurred. In your case, it's a "java.lang.NumberFormatException" That means that the application can't cast the input string (a single quote, in this case) as a number.

When you come across exceptions like that, try googling them. You'll often find a wealth of information. For example, I google the com.sun.jersey.api.ParamException$QueryParamException error message, and discovered that the application is using a RESTful framework named Jersey. See if you can find the api documentation for the error message, and see if the Param its talking about is referring to parameterized SQL, or if it's just referring to a query string parameter.

Hi, i found this: http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.action/0.1.1/com/sun/jersey/server/impl/inject/InjectableValuesProvider.java But, It does not mention any SQL — user152754, Jul 07 '17 at 21:16
Good! That leads me to believe that it's not talking about parameterized SQL, so the application would still may be vulnerable to SQL injection. I would recommend doing some studying on building web applications, and possibly building one or two toy examples. I think you will learn a great deal about how to pen-test applications by understanding how they are built, and what some of the challenges are that developers face. — Dan Landberg, Jul 10 '17 at 17:49

This is a Stack Trace or Sql Injection?

1 Answers1