Information Security Asked by Badddy on December 20, 2020
I am trying to do penetration testing for one of my client.
The platform is Code ignitor.
There is an endpoint /find/1
The function queries the vehicle table where vehicle ID is 1 with no sanity check.
Now I tried Acunetix scanner and it found both blind SQL and normal SQL injection on the website.
I need to show my client there is actually a flaw so I used sqlmap with various options
Like I know the backend DB is mysql, —skip-WAF
Ok endpoint /find/1*
Which means to inject at positive of asterisk.
Sqlmap performed detail evaluation however couldn’t exploit the vulnerability. I did the risk and verbose to see the queries myself as well.
What I noticed that * is marked as non permitted character in config of code ignitor which prevents sqlmap from making select * from… etc queries.
My Question:
Shall I assume that the website is safe? Since I can see in the code that sanity check has not been performed on the “input data”.
It depends on what you mean by "no sanity check" is performed on the input parameter. If this means that the application takes the parameter, concatenates it into a SQL query and sends it to the database, the application is vulnerable for sure. Only blocking * is not enough to protect against SQL injection.
Never assume the site is safe, if you have doubts about it! Even if you are not able to create a working exploit, you should recommend implementing database queries using prepared statements (or similar mechanisms). It is considered best practice and there is usually no reason not to use them.
Answered by Demento on December 20, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP