-4

I can inject SQL with sqlmap but am unable to understand how this works. There is no echo or print command on my script, but sqlmap returns data with database name and details.

Here is the instance it has found:

$sql ="SELECT * FROM application where id=$id";
$act_res = mysql_query($sql);

If there is no echo or print and I also stop error reporting then how did sqlmap got information by sql injection?

halfer
  • 19,824
  • 17
  • 99
  • 186
Asik
  • 81
  • 1
  • 10
  • What kind of SQL injection exploitation/exfiltration method does sqlmap use? – Gumbo Feb 08 '15 at 12:14
  • retrieve database name tables name etc – Asik Feb 08 '15 at 12:32
  • No, I meant what [technique](https://github.com/sqlmapproject/sqlmap/wiki/Techniques) is it using in your specific case. – Gumbo Feb 08 '15 at 12:53
  • I am just simply using this $sql ="SELECT * FROM application where id=$id"; $act_res = mysql_query($sql); And the sqlmap return database name. Here is no echo command.. then how it works.? – Asik Feb 08 '15 at 12:59
  • 1
    I expect `$id` comes from user input, and it is has not been bound, escaped or cast - and thus arbitrary SQL may be injected into the query. – halfer Feb 08 '15 at 13:15
  • But what [technique](https://github.com/sqlmapproject/sqlmap/wiki/Techniques) is sqlmap using in your case? What does it print when you try to retrieve some information from the database? – Gumbo Feb 08 '15 at 13:27
  • My point is this script is sql inject-able but here I am not using any echo or print then how sqlmap retrieve data using sql injection?? – Asik Feb 08 '15 at 13:39
  • @Asik - do you have error reporting turned off? If you pass in dodgy data, is the error message displayed to the screen? – andrewsi Feb 08 '15 at 14:13
  • If sqlmap is able to retrieve the database name and other data, why don’t you just tell us what technique sqlmap uses? It prints that information every time you use it after successful detection. – Gumbo Feb 08 '15 at 14:27
  • Yes I have turned off error reporting. I don't know the technique this is why I am asking a question here. But why you are always asking me for the technique? my script has no print or echo statement. I want to know the technique use in sqlmap to retrieve data with out any print or echo statement. Thanks – Asik Feb 08 '15 at 16:53
  • sqlmap tells you exactly the [exploitation technique](https://github.com/sqlmapproject/sqlmap/wiki/Techniques) that it uses. Just give us an example of its console output. – Gumbo Feb 08 '15 at 17:08
  • @Gumbo do you know how sqlmap works? this was my question that my php script has no echo or print then how sqlmap show data from that script. – Asik Feb 12 '15 at 03:56
  • Yes, I know how sqlmap works. An to tell you how it manages to extract the mentioned data, you need to know what [technique](https://github.com/sqlmapproject/sqlmap/wiki/Techniques) it uses in your case. Why don’t you read the wiki page that I have already linked to four times, run sqlmap again and tell us what it says about the detected injection point? – Gumbo Feb 12 '15 at 06:06

2 Answers2

2

Your piece of code have one security problem:

You need to sanitize your input $id. If the id in the your DB is an int you can protect agains SQL injection with checking if it's an int with the is_int () function.

The script of SQLMAP will try injections in your vulnerable $id input.

If the hacker put ID; SQLInjectionHere-- into the $id, the query will be:

SELECT * FROM application WHERE id=ID; SQLInjectionHere"

An attacker will be able to do another SQL request without permission.

You can also add verbose on your SQLMAP with -v

PS: Bad practice to use SELECT * ( Why? )

Community
  • 1
  • 1
glassback
  • 44
  • 4
  • I know this is inject able ... But There is no echo or print then how it will get data by sql injection..Thanks – Asik Feb 12 '15 at 03:57
0

One way is with SLEEP(). If you send in SLEEP(5), SLEEP(10), SLEEP(15), and the responses take 5.3 seconds, 10.2 seconds, and 15.5 seconds to generate, you can be pretty sure that you've found a hole.

Blender
  • 289,723
  • 53
  • 439
  • 496
  • can you expand on this ? – MyName Dec 08 '17 at 04:25
  • can you expand on this? What information does the sleep time give that allows infering of vulnerabilities? Thanks. – MyName Dec 08 '17 at 04:34
  • 1
    @MyNameIsZero: Since you have full control over the query but can't see any output, you can use `SLEEP()` to send back information. For example, you can inject a query that waits for 1 second if the first letter of a field is `a`, 2 seconds if the first letter is `b`, etc. Based on the time it takes to receive a response, you know what the first character is. You can repeat for the second, third, and so on until you've dumped out the entire field. – Blender Dec 08 '17 at 04:46
  • 1
    @MyNameIsZero: Vulnerable queries assume that their parameters will be passed as literals. If you try logging in with the username `asd` and it takes 0.3 seconds, `xyz` takes 0.4 seconds, `jklmnop` takes 0.42 seconds, but `' OR sleep(100000)` locks the login page up, you can be pretty sure that the field wasn't sanitized properly even if you can't see any output. – Blender Dec 08 '17 at 04:53
  • 1
    @MyNameIsZero: Read the [sqlmap techniques](https://github.com/sqlmapproject/sqlmap/wiki/Techniques) page for more information on different types of SQL injection techniques. – Blender Dec 08 '17 at 04:56
  • arent these "timing" techniques sensible to network lag? If the connection becames slower and then faster again, can this result in false positives identified by sqlmap? – MyName Dec 08 '17 at 19:26
  • 1
    @MyNameIsZero: It depends on how slow you want to go. I don't know what exact technique sqlmap uses, but you could send *n* requests and average the response times to minimize latency spikes. – Blender Dec 08 '17 at 21:06