2

I have a small application, there is one field in which I can write a number and submit it, the page request goes to server and I get a response or no response (as per the argument)

Now I checked the field for sql injection and got that it is injectable which is fine for me since I am in testing mode.

enter image description here

This is the result, Now how I can verify that these field was actually injectable, I tried to copied the payload in the field and submitting it, but it didnt worked.

The query that takes the argument is like this

$q = " select * from users where id = $_REQUEST['cnic']";

// REST OF CODE FOR ITERATING QUERY
user3646405
  • 55
  • 7
  • 1
    You really need to post the weak code that this vulnerability has uncovered. It's impossible to know how to reproduce this since you haven't given enough content. – tadman Sep 14 '15 at 15:08
  • 2
    Yeah, that is **dangerously** bad code, the [archetypical injection bug](http://bobby-tables.com/), so it's good the scanner found it. When testing injection bugs you will have to properly URI encode your parameters. In this case, `page.php?id=PAYLOAD` where `PAYLOAD` is the injection payload properly encoded. – tadman Sep 14 '15 at 16:58
  • 1
    Since the sql injection known by the community for 15 years, at least. http://stackoverflow.com/questions/5721786/how-does-sql-injection-work-and-how-do-i-protect-against-it you will find a very good explanation over here. Also you will find very detailed demonstration page http://www.codebashing.com/sql_demo here. – Mehmet Ince Sep 14 '15 at 17:42
  • The second one should have output something different on your page. – SilverlightFox Sep 15 '15 at 14:12
  • 1
    I doubt that this is the actual code. You would get a syntax error for single `'` in your injected data that is missing its counterpart. – Gumbo Sep 15 '15 at 16:21

1 Answers1

1

Given the sqlmap used a AND/OR time based time-based blind injection you need to look how long did it take to perform the query.

If you submit value "111' AND (SELECT * FROM (SELECT..." it will take 5 seconds or more (because of the SLEEP(5) inside which gets executed).

See the sqlmap documentation, I am sure they describe that more deeply here.

vlp
  • 6,693
  • 2
  • 21
  • 47