Quick question about SQL injections

[Shadow545]

I have found a vulnerable site ( I checked by putting an apostrophe at the end of the id=x ), but when using ORDER BY to find the number of columns, i go up to 99999999 and there is still no error. Is there anyway around this, or does it mean that it's actually not vulnerable at all? My syntax is right, so thats not the problem.

[Goatboy]

What you mean to say is that you found a flaw in a site you personally run.

[-Ninjex-]

It all depends on what is getting displayed back on the webpage; see if images are changing, etc. I couldn't really tell since I am not looking at it myself. You should read up on all the types of SQLi blind/inferential/etc. In short, the site may still be vulnerable, yes; especially if you received an error somewhere.

[mShred]

What is there error that you're getting with the when adding the apostrophe?

[Shadow545]

There are missing pictures and the page looks different, there is no actual SQL error message though.

[Goatboy]

They're probably pulling images and even page elements from the DB.

[-Ninjex-]

Look specifically into inferential SQLi

Code: Select all

SQL Injection can be broken up into
3 classes:

Inband
data is extracted using the same channel that is used to inject the SQL code.
This is the most straightforward kind of attack, in which the retrieved data is presented
directly in the application web page

Out of Band
data is retrieved using a different channel (e.g.: an email with the results of
the query is generated and sent to the tester)

Inferential
there is no actual transfer of data, but the tester is able to reconstruct the
information by sending particular requests and observing the resulting behaviour of the
website/DB Server.

- Joseph McCray

The above is a snippet outlining the different types of SQLi from Joseph McCray during a defcon speech that you can find here: http://hts.io/1lOvA

(off topic I will be back 100% tomorrow night)