Page 1 of 1

Quick question about SQL injections

PostPosted: Tue Oct 08, 2013 9:51 pm
by Shadow545
I have found a vulnerable site ( I checked by putting an apostrophe at the end of the id=x ), but when using ORDER BY to find the number of columns, i go up to 99999999 and there is still no error. Is there anyway around this, or does it mean that it's actually not vulnerable at all? My syntax is right, so thats not the problem.

Re: Quick question about SQL injections

PostPosted: Tue Oct 08, 2013 10:41 pm
by Goatboy
What you mean to say is that you found a flaw in a site you personally run.

Re: Quick question about SQL injections

PostPosted: Wed Oct 09, 2013 1:53 am
by -Ninjex-
It all depends on what is getting displayed back on the webpage; see if images are changing, etc. I couldn't really tell since I am not looking at it myself. You should read up on all the types of SQLi blind/inferential/etc. In short, the site may still be vulnerable, yes; especially if you received an error somewhere.

Re: Quick question about SQL injections

PostPosted: Sat Oct 12, 2013 9:18 pm
by mShred
What is there error that you're getting with the when adding the apostrophe?

Re: Quick question about SQL injections

PostPosted: Sun Oct 13, 2013 5:17 pm
by Shadow545
There are missing pictures and the page looks different, there is no actual SQL error message though.

Re: Quick question about SQL injections

PostPosted: Sun Oct 13, 2013 8:12 pm
by Goatboy
They're probably pulling images and even page elements from the DB.

Re: Quick question about SQL injections

PostPosted: Mon Oct 14, 2013 12:32 pm
by -Ninjex-
Look specifically into inferential SQLi

Code: Select all
SQL Injection can be broken up into
3 classes:

Inband
data is extracted using the same channel that is used to inject the SQL code.
This is the most straightforward kind of attack, in which the retrieved data is presented
directly in the application web page

Out of Band
data is retrieved using a different channel (e.g.: an email with the results of
the query is generated and sent to the tester)

Inferential
there is no actual transfer of data, but the tester is able to reconstruct the
information by sending particular requests and observing the resulting behaviour of the
website/DB Server.

- Joseph McCray


The above is a snippet outlining the different types of SQLi from Joseph McCray during a defcon speech that you can find here: http://hts.io/1lOvA

(off topic I will be back 100% tomorrow night)