AnswerBun.com

Sql map Manual Vulnerability Assessment

Information Security Asked by Badddy on December 20, 2020

I am trying to do penetration testing for one of my client.
The platform is Code ignitor.
There is an endpoint /find/1
The function queries the vehicle table where vehicle ID is 1 with no sanity check.

Now I tried Acunetix scanner and it found both blind SQL and normal SQL injection on the website.
I need to show my client there is actually a flaw so I used sqlmap with various options

Like I know the backend DB is mysql, —skip-WAF

Ok endpoint /find/1*
Which means to inject at positive of asterisk.

Sqlmap performed detail evaluation however couldn’t exploit the vulnerability. I did the risk and verbose to see the queries myself as well.

What I noticed that * is marked as non permitted character in config of code ignitor which prevents sqlmap from making select * from… etc queries.

My Question:

Shall I assume that the website is safe? Since I can see in the code that sanity check has not been performed on the “input data”.

One Answer

It depends on what you mean by "no sanity check" is performed on the input parameter. If this means that the application takes the parameter, concatenates it into a SQL query and sends it to the database, the application is vulnerable for sure. Only blocking * is not enough to protect against SQL injection.

Never assume the site is safe, if you have doubts about it! Even if you are not able to create a working exploit, you should recommend implementing database queries using prepared statements (or similar mechanisms). It is considered best practice and there is usually no reason not to use them.

Answered by Demento on December 20, 2020

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic

     

Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton

 

WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm

 

iCloud deletion

1  Asked on October 28, 2021 by mp115

     

Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat

   

Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg

   

Refresh token using a separate auth server?

0  Asked on October 28, 2021

 

Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715

     

What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli

     

Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost

   

Ask a Question

Get help from others!

© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP