I am working on Hack the VM (hard machine) for my OSCP preparation
There is a web app with two drop down boxes.. Year and month.. both contain numbers and a submit to fetch data from DB based on year and month
Now when I change the month value from 2,3,4,5 etc to /
I get this as an error
"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND MONTH(our_date) = 1 ORDER BY our_date DESC' at line 1
Which I believe is error based SQL injection
THe problem is when I try this in SQLMAP, I tried to increase the risk and level.. I dont get the parameter is injectable..
If i change value of month to 1' OR 1 = 1# , I get 502 bad gateway
How could I move on?
I read this link but not so helpful.
https://stackoverflow.com/questions/54809948/mariadb-sql-injection