Mike
asked on
Sql Injection issue
Question: I was asked to do a security audit on few of our websites and one pops up on the scan with a possible sql injection. When I plug in the code below I get the following error “shown below” . I can say that kind of new to sql injections… could somebody explain what I may be missing here…
URL Code that gives me error below:
Sql error
Couldn't exec sth!
QUERY: INSERT INTO search_terms (search_term) values ('\')
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1
URL Code that gives me error below:
http://www.website.com/ingenii.cgi?cart_id=6L8ZuK.a7221&maxp=20&ppinc=searchresults&search=%5c
Sql error
Couldn't exec sth!
QUERY: INSERT INTO search_terms (search_term) values ('\')
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1
ASKER
Ok....so based on the error message I got... what I am not seeing in it..... not sure how the sql injection would work in this example...
That error looks like it is coming from your cgi script. Your your includes, "search=%5c" and %5c is a url encoded slash. Seeing that along with the error, "syntax to use near ''\'". This means you are accepting input without scrubbing it first and thus open to an sql injection. Unless the cgi script is what caught the slash or is that your scanning software?
That is vulnerable to SQL injection and I recommend you make sure to fix it with proper sanitation.. don't forgot to also make sure the permissions of your sql user is not root otherwise attackers don't even have to use admin login etc to put a shell on your website. Easily doable with load_file() with root permissions.
ASKER
so If I plug in sql statement behind "search=%5c" its going to excite the sql injection w/o scrubbing it first..... could you give me and example ... so I can have better understanding.
So do this "search=+ORDER+BY+100--" see if it gives you an error if it does do this
"search=test+ORDER+BY+1--" and tell me if that gives you an error.
If you would like you can contact me by posting your email on my profile and I can contact you directly to help.
"search=test+ORDER+BY+1--"
If you would like you can contact me by posting your email on my profile and I can contact you directly to help.
Here is an article from one of your Experts
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/Cold_Fusion_Markup_Language/A_10655-Preventing-SQL-Injection-Cross-Site-Scripting-using-ColdFusion.html
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/Cold_Fusion_Markup_Language/A_10655-Preventing-SQL-Injection-Cross-Site-Scripting-using-ColdFusion.html
Ok whatever you do, don't use the ColdFusion server if you're going to use the markup language. Every version of ColdFusion has public 0day exploits and extremely easy to hack into.
My bad.... I thought that was the php article.
ASKER
I used the string and it didn't give me a error
It's a little difficult to help you sqli this over comments, just google how to or use this guide: https://www.owasp.org/index.php/SQL_Injection
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help...
You should never accept data directly from a url, post, cookie ect without first scrubbing the data.