-1

I'm a student in computer security, and I'm trying to perfom a SQLi on the following request:

SELECT * FROM Books WHERE 1 AND (LOWER(title) LIKE '%aaa%' 
OR LOWER(blurb) LIKE '%aaa%' OR LOWER(content) LIKE '%aaa%') AND 
(publish_date IS NULL OR publish_date <= '2016-08-22') ORDER BY date DESC LIMIT -5,5

So, aaa is where the injection happen. I tried ') UNION SELECT * FROM Books# but, the server just send me back this injection as a "search result", so it does not work.

In order to better match the request, I would do %'; REQUEST THAT I WANT; '%.

Or even better: %'; REQUEST THAT I WANT;SELECT * FROM Books WHERE LOWER(title) LIKE '%.

But for thoose two last, I get a "Bad Request" response.

Anders
  • 65,052
  • 24
  • 180
  • 218
mric750
  • 73
  • 2
  • 2
  • 7
  • The Bad Request response is probably a system safeguard. If it were just as simple as SQL syntax issues then you would get a Server Error, blank response, but not Bad Request. – 700 Software Aug 23 '16 at 13:09
  • @GeorgeBailey So maybe, no SQLi possible ? (but this is a training machine, it should be possible to attack it with SQLi) – mric750 Aug 23 '16 at 13:12
  • A safeguard would be like a firewall that checks for common attacks before reaching the app. If the safeguard kicks in, then it is not possible to find out whether the app itself was vulnerable. Sometimes you can customize the attack string to bypass the safeguard. – 700 Software Aug 23 '16 at 13:17
  • Once your attack reaches the app, a properly escaped SQL will produce 'no results'. In this case it would look like SQLi is not possible. However, if you get a server error or blank response, then you might be looking at SQLi. Bad Request usually means that you hit an extra security layer prior to the SQLi, but that is not universal. – 700 Software Aug 23 '16 at 13:17
  • @GeorgeBailey I indeed get a server Error, I will update my Post for mor clarity – mric750 Aug 23 '16 at 13:27
  • Ah yes, that is an important distinction. (Bad Request -vs- Server Error) Editing your question to indicate Server Error is a good idea. – 700 Software Aug 23 '16 at 14:17
  • @GeorgeBailey I created a new post for more clarity here: http://security.stackexchange.com/questions/134684/is-an-sql-injection-possible-here – mric750 Aug 23 '16 at 14:50

1 Answers1

3

You didn't specify how the server code actually fills in the search filter. It could very well use prepared statements, something like this:

query = db.prepare("SELECT * FROM Books WHERE LOWER(title) LIKE ? OR LOWER(blurb) LIKE ?")

pattern = "%" + input + "%"
query.set_parameter(1, pattern)
query.set_parameter(2, pattern)
...

result = query.exec()

In other words, just because the code has to add %'s around the filter, doesn't mean the whole SQL query gets added at the same time. Instead, the "prepared statement" lets the database itself fill in additional values.

Or the code could just be very careful about escaping quotes in the input (as in the widely known mysql_escape_string()). While that's much easier to get wrong (not to mention slightly slower), it still avoids injections by making sure a raw ' never gets inserted.

user1686
  • 1,071
  • 8
  • 17
  • The ' get transformed into '\ by the server – mric750 Aug 23 '16 at 13:00
  • If `\ ` is also transformed to `\\ ` then there's probably no SQLi here. – 700 Software Aug 23 '16 at 13:06
  • @GeorgeBailey Indeed It is, but I don't understand why they would not be any SQLi – mric750 Aug 23 '16 at 13:33
  • @mric750, in your query `LIKE '%x%'` (where `x` is the attack input), if `'` becomes `\'` and `\ ` becomes `\\ `, then you can only produce inputs such as `LIKE '%\\\'%'` which will not produce desired SQLi behavior. On the other hand, if `'` were escaped, but `\ ` were not, then you could produce `LIKE '%\\'` followed by code to follow a successful SQL attack. It has to do with how strings are escaped. You can post a new question about this if you'd like more clarification about `\ ` and `'`. – 700 Software Aug 23 '16 at 14:14