0
Select * from Shop where Item = $item order by ProductNum desc

I found this vulnerability within a website. To test if there's any vulnerabilities I inserted a single quotation after 

itemshop_secure.php?section=

And I stumbled upon this error message 

Error Query [SELECT * FROM Shop Where Item = '\' order by ProductNum desc]

every single qoute is converted to "\" and double quotation is converted to " \" "

I also tried terminating it using ";" and injected it with this query

SELECT * FROM Shop

But it just returned the same error

 Error Query [SELECT * FROM Shop Where Item = 'SELECT * FROM Shop ' order by ProductNum desc]

Is there any possibility That I could Inject my own sql query? PS I tried ";" alone and it didn't showed any error unlike " ' "

PNC
  • 111
  • 1
  • 1
    Asking for help with breaking the law.... Not a good idea! – Jeroen Apr 04 '15 at 16:47
  • I agree with @Jeroen-ITNerdbox: There are not many [results for `inurl:"/itemshop_secure.php"` on Google](https://www.google.com/search?q=inurl:%22/itemshop_secure.php%22). – Gumbo Apr 04 '15 at 17:52
  • You guys are assuming that he's not testing the security of a plugin or his own website. – wireghoul Apr 05 '15 at 07:48
  • @wireghoul “I found this vulnerability within a website.” – Gumbo Apr 05 '15 at 08:43
  • Are you sure it’s actually MySQL and not [a DBMS that requires comparable data types like SQL Server](https://msdn.microsoft.com/en-us/library/ms175118.aspx)? Otherwise I wouldn’t have any clue why the last query would fail. – Gumbo Apr 05 '15 at 08:54
  • @Gumbo I', not sure if its a MySQL i just assumed. This website Im hacking has a bounty system so technically its not illegal as long as I reported it. – PNC Apr 05 '15 at 10:38
  • So what website are you talking about? – Gumbo Apr 05 '15 at 10:46
  • http://meta.security.stackexchange.com/questions/897/clarify-our-stance-on-black-hat-questions/ – wireghoul Apr 05 '15 at 22:15

1 Answers1

1

It looks like the server has php configured with magic quotes on. Since the example query provided doesn't contain any quotes you won't need to inject any quotes. Something like 1 union select @@version from shop -- - should give you an error about unions needing the same number of columns, proving the injection.

wireghoul
  • 5,745
  • 2
  • 17
  • 26