1

I'm testing for SQL Injection on a website.

Basically, I'm trying it in the following url:

http://example.org/webpage/*

where in place of the * the payload should be injected. When I try to put in there this: ' OR 1=1/*, the url will be so: http://example.org/webpage/'%20OR%201=1/*- this is the output:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '/*', 'IT', 'name=\' OR 1=1/*', 1499954730)' at line 1

Does this mean it's SQL-injection vulnerable? If yes, how can I try to exploit it with sqlmap? This is what I tried running:

$ sqlmap -u "http://example.org/webpage/*" but it says there is nothing injectable, and I highly think it failed.

XRichardX
  • 11
  • 1
  • 1
  • 2
  • did you test it like so without the '*' ? It seems the Syntax error come because you start a multiline comment ("/*") without it ending ("*/"). Run SQLMap on or use – Serverfrog Jul 13 '17 at 14:17
  • @Serverfrog I've tried running: `sqlmap -u "example.org/webpage/'%20OR%201=1--"` to the website, but it shows me: `[CRITICAL] all tested parameters appear to be not injectable.` – XRichardX Jul 13 '17 at 14:22
  • IMHO, you should use make sqlmap to display the visualise message https://security.stackexchange.com/questions/15621/why-cant-sqlmap-find-an-sql-injection-in-my-code – mootmoot Jul 13 '17 at 14:26
  • @XRichardX I think some more digging is in order. I don't know enough about sqlmap to know how to interpret its results, but I'm still very suspicious that the fact that you triggered an SQL error. I'm 95% sure this means that the site is not properly protected against SQL Injection. Can you look at the code in question? Having direct access to the code will make it much easier to see if there is an injection possibility, and that will probably help you better understand your results from sqlmap (for future reference). – Conor Mancone Jul 13 '17 at 14:56
  • @mootmoot using `--risk=3 --level=3` flags in sqlmap outputs me the same `all tested parameters appear to be not injectable.` message. – XRichardX Jul 13 '17 at 15:47
  • @ConorMancone website's not mine. I can't, but I would like to find a correct SQL payload to exploit the issue. – XRichardX Jul 13 '17 at 15:48

2 Answers2

3

I could be wrong, but I'm fairly certain that your main problem is that you are attempting to do mysql injection wrong. As a general rule of thumb, if a payload can trigger an SQL syntax error then your attempts at preventing SQL Injection are not really working. For instance, if you were using prepared queries, there is no way for the payload to result in an SQL syntax error at all.

In this particular case the problem is that you are using the wrong kind of comment to hide the rest of the command. In this case you would probably have more luck (making SQL Injection happen) if you used a double dash (--) or pound sign (#) which both start single-line comments in MariaDB. The comment character you are using (/*) is a multi-line comment character that has no closing comment character. This appears to be the source of the SQL error. While I'm not personally familiar with sqlmap, my suspicion is that it may not think there is an injection vulnerability, not because you are safe, but simply because your injection payload is generating an SQL error, and therefore no injection is happening. Try again with the proper comment character.

To reiterate, the fact that you getting an SQL error makes me think that you are vulnerable to SQL injection, you just aren't doing the SQL injection properly.

Edit

I think your next step is to ignore sqlmap for a bit. The attack you are doing ' OR 1=1 would select all records. Your URL implies that this is a view kind of page, which shows only one record at a time. As a result, there are many cases where such an SQL injection payload may not actually have any results on the page in question. This is the part that can make it tricky: SQL injection is only "successful" if you can actually do something with the attack and impact the application in a meaningful way. So for instance if your payload causes it to load all records in the SQL command, but the page in question implicitly shows only the first result (because it is a view-type page), then you won't realize that your injection has been successful.

The short of it is that your given SQL injection payload is context-specific, and may not work in all places on a given website even if the page is vulnerable to SQL injection. That makes SQL injection extra tricky. Some sql injection tools can automate some of that trickiness, but I don't know if sqlmap is such a tool.

So ditch sqlmap for a moment. Try a different kind of payload. Instead of selecting ' OR 1=1 try doing ' AND 1=0. This should (theoretically) result in zero records. So if you get a 404 (or nor results in general), I would consider that evidence that the page is vulnerable to SQL injection.

Of course, if you're feeling mean you could just try variants on '; DROP TABLE users-- until something breaks :) That would be mean though.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
0

Good day 2u.

You make mistake with injection point. http://example.org/webpage/'%20OR%201=1/* <--- bad http://example.org/webpage/*/ <--- good

Try to catch full http request with web-debugger(e.x. LiveHTTPHeaders / BurpSuite) and save it to file(e.x. req.txt). After that start sqlmap with following string: python sqlmap.py -r req.txt --threads 10 --level 5 --risk 3 --random-agent --batch -v 3 and paste output here.

All the best, N.T.

r3V0Lution
  • 1
  • 1