0

I am trying to understand the SQLi so I ran SQLMap with '-vvv' parameter

4: Show also HTTP requests.

I did scan one of the vulnerable and 'free to hack' sites. In one of the requests sent, the response from SQLmap was:

[22:25:10] [DEBUG] got HTTP error code: 500 ('Internal Server Error')

[22:25:10] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --code=200)

I tried to use same payload GET /showforum.asp?id=1%20AND%20%28SELECT%20CHR%28116%29%7C%7CCHR%28100%29%7C%7CCHR%2885%29%7C%7CCHR%28111%29%20FROM%20SYSIBM.SYSDUMMY1%29%3D%27tdUo%27 in Burp but it keeps throwing me 500 error.

Can someone explain me how did excatly SQLmap come to this conclusion that parameter ID is injectable, while there was an error? I tried to compare different 500 error responses, but no difference between this specific payload ant other ones.

Any answer will be appreciated, thanks.

Community
  • 1
bip0larf0xiE
  • 1
  • 1
  • Does this answer your question? [What makes a SQL Injection count as blind injection?](https://security.stackexchange.com/questions/37121/what-makes-a-sql-injection-count-as-blind-injection) – Conor Mancone Jun 04 '20 at 22:27
  • The linked question may not be an exact answer to your question, but I think you'll get most of what you need there. Blind SQLi is when you don't get a detailed response from the application but infer that SQLi is happening because of changes in the response otherwise - often just a change of status code. Also see this: https://owasp.org/www-community/attacks/Blind_SQL_Injection – Conor Mancone Jun 04 '20 at 22:28
  • The problem is nothing changed in status code, I mean the response is same for: `GET /showforum.asp?id=1%20AND%20%28SELECT%20CHR%28116%29%7C%7CCHR%28100%29%7C%7CCHR%2885%29%7C%7CCHR%28111%29%20FROM%20SYSIBM.SYSDUMMY1%29%3D%27tdUo%27` and same for `GET /showforum.asp?id=1%20AND%203246%3D7682 HTTP/1.1` but SQLMap points the first one as 'found injectable...', and that's what I really don't understand. I mean for me there is no difference in the response – bip0larf0xiE Jun 05 '20 at 17:57
  • Presumably when you don't have any payload you get a 200, not a 500. That would be the "blind boolean" part. All the system tells you is that if you do try to inject a payload you get a 500, instead of 200. Getting data out in such a scenario is difficult and may be impossible, but typically if you get a 200 for a normal request and then a 500 for a request with an SQLi payload, that's a sign that it may be vulnerable. – Conor Mancone Jun 05 '20 at 18:32
  • Still lot's of questions but it's a bit brighter now, thanks! – bip0larf0xiE Jun 07 '20 at 20:36

1 Answers1

-1

500 Internal Error means that the SQLmap's payload is being detected and cannot fully exploit the target. You can try with option --random-agent and/or --hex maybe this will successfully do it.

BaiHui
  • 23
  • 2
  • Hi, thank you for your answer, I don't really want to exploit the database more, I just want to understand why from two payloads, which both resulted in the very same (byte by byte, word by word) response, one of them was marked as 'injectable' by SQLmap, this is really what I don't understand – bip0larf0xiE Jun 05 '20 at 18:01
  • SQLmap first checks for the response, for example it will respond with MYSQL error, then sqlmap marks it as injectable, so it is possible that sqlmap just marks it as injectable but whenever you try to inject any payload to determine tables and any other information it will be blocked. – BaiHui Jun 06 '20 at 12:29
  • Oh I see, now it makes sense, thank you – bip0larf0xiE Jun 07 '20 at 20:35