Is an SQL injection possible here?

Question

I am a student in computer security and I'm training for a certification.

I have this URL that I want to attack (in a training lab):

http://URL/search/blabla/1

I replaced "1" with letters, as the following:

http://URL/search/blabla/aaa

Which creates this Error Message (I removed some parts to make it clearer):

Fatal error: .... in query — SELECT * FROM Books WHERE 1 AND (LOWER(title) LIKE '%blabla%' OR LOWER(blurb) LIKE '%blabla%') AND (publish_date IS NULL OR publish_date <= '2016-08-23') ORDER BY date DESC LIMIT -5,5'

So, first tried to get out of the quote with %'), add a new request and cancel with #:

%'); SELECT * FROM Books;#

=>Bad Request, Your browser sent a request that this server could not understand.

Second try, this time I copy the rest of the request given in the error message and cancel it with a #:

%') AND (publish_date IS NULL OR publish_date <= '2016-08-23') ORDER BY date DESC LIMIT -5,5'#

=> Bad Request again !

Do you think a SQL injection is possible here?

Looks susceptible to injection, because the bad request error indicate that the site didn't sanitize the input by parameterised query. Just remind you, there is two `%blabla%` that you need to take care. — mootmoot, Aug 23 '16 at 15:21
@mootmoot I see, but they both come from the same Injection point so I don't think the second %blabla% is really relevant — mric750, Aug 23 '16 at 15:30
You've actually done what is required - in a sense - as you've injected your own query (part of) into the application. Even if you're getting an error, you've injected foreign query language that isn't allowed. What are you trying to achieve exactly? ie: bring back other records, dump the database to an [OUTFILE](https://mariadb.com/kb/en/mariadb/select-into-outfile/), or [cripple the database](http://stackoverflow.com/questions/19496097/methods-to-prevent-ddos-based-mysql-queries-submitted-through-url-string), or *what*....? — hd., Aug 23 '16 at 15:44
Ok, as I only know one table name (Books), I want to retrieve all the results from Books, this is why I did "SELECT * FROM Books" in the first try. But I wonder why It does not work — mric750, Aug 23 '16 at 16:54
How is this question different from [the other one](http://security.stackexchange.com/questions/134670/sql-injection-with-like-operator) you just posted? — Anders, Aug 24 '16 at 07:13
Why are you using query stacking for your injection? Most database connection handlers will only let you run one query at a time. — rook, Aug 24 '16 at 07:31
@rook Thanks for this information, I did not know this. So if this server just allow one query at a time, I guess I must do something with the fist part of the original request and "redirect" it in a way... — mric750, Aug 24 '16 at 10:45

score 2 · Answer 1 · answered Aug 24 '16 at 07:33

The bad request does not indicate anything about the application. Instead, it indicates that Apache could not parse the request before passing it to the web application. Consider for example the following link, which gives the same error:

http://www.apache.org/icons/%');%20SELECT%20*%20FROM%20Books;#

This is because percent-sign has a special meaning in an URL. If you pass parameters in the URL, you should url-encode them:

%25%27)%3B%2520SELECT%2520*%2520FROM%2520Books%3B%23

One thing I notice is that although you get an SQL error, the injected value "aaa" is not present in the SQL query shown. This makes it hard to say whether this is vulnerable to SQL injection.

One tool that can help you with this is sqlmap. It is pretty good in automatically finding SQL injection on a given parameter.

"aaa" is present in the part of the error message that I did not put in my POST (here: sqlfetch(false) #1 /var/www/html/templates/routed/btx-dogwood-blog/search.php(12): BTXDogwood->getSearchPageOfPosts('"', 'aaa', 5)) — mric750, Aug 24 '16 at 10:48
But it's not relevant because it's not present in the SQL query — mric750, Aug 24 '16 at 10:49

Is an SQL injection possible here?

1 Answers1

Linked