Sql map Manual Vulnerability Assessment

Information Security Asked by Badddy on December 20, 2020

I am trying to do penetration testing for one of my client.
The platform is Code ignitor.
There is an endpoint /find/1
The function queries the vehicle table where vehicle ID is 1 with no sanity check.

Now I tried Acunetix scanner and it found both blind SQL and normal SQL injection on the website.
I need to show my client there is actually a flaw so I used sqlmap with various options

Like I know the backend DB is mysql, —skip-WAF

Ok endpoint /find/1*
Which means to inject at positive of asterisk.

Sqlmap performed detail evaluation however couldn’t exploit the vulnerability. I did the risk and verbose to see the queries myself as well.

What I noticed that * is marked as non permitted character in config of code ignitor which prevents sqlmap from making select * from… etc queries.

My Question:

Shall I assume that the website is safe? Since I can see in the code that sanity check has not been performed on the “input data”.

One Answer

It depends on what you mean by "no sanity check" is performed on the input parameter. If this means that the application takes the parameter, concatenates it into a SQL query and sends it to the database, the application is vulnerable for sure. Only blocking * is not enough to protect against SQL injection.

Never assume the site is safe, if you have doubts about it! Even if you are not able to create a working exploit, you should recommend implementing database queries using prepared statements (or similar mechanisms). It is considered best practice and there is usually no reason not to use them.

Answered by Demento on December 20, 2020

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic


Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton


WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm


iCloud deletion

1  Asked on October 28, 2021 by mp115


Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat


Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg


Refresh token using a separate auth server?

0  Asked on October 28, 2021


Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715


What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli


Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP