0

I'm doing a website PT lab and I'm trying to figure out SQL vulnerability in MariaDB. After some scanning I found the /api/ path, and one of them gives the desired SQL I found out that ' gives me the desired SQL error:

My request:

GET /api/tests?from=1&to=1' HTTP/1.1 Host: *some host* Cookie: *some cookie* Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="127", "Not)A;Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Accept-Language: en-GB Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.89 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u=0, i Connection: keep-alive

And the response:

{ "err": { "text": "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1", "sql": "SELECT tests.name,tests.author,tests.status,tests.updated_at,tests.link,users.id,users.full_name FROM tests LEFT JOIN users ON tests.author = users.id WHERE tests.status = 1 LIMIT 1, 1' - parameters:[]", "fatal": false, "errno": 1064, "sqlState": "42000", "code": "ER_PARSE_ERROR" }, "msg": "Failed To Get Data" }

I was given test credentials like TestAccount and some password, in the cookie there is a role field. The test account is a student role, but if I change it to a teacher role (strangely though no need to change the token) I get the access to all the databases in the api.

No matter what I do (like most of what described here: https://book.hacktricks.xyz/pentesting-web/sql-injection ) I can't fix the query after escaping. Running SQLMap didn't help.

Improve this question
12
  • Try a UNION, even though this generally isn’t valid directly after a LIMIT clause. Try appending a second SQL query after a semicolon in case multi-queries are supported. Try the PROCEDURE analyse trick.
    – Ja1024
    CommentedAug 9, 2024 at 21:10
  • @Ja1024 Hey, thanks for your reply. So I guess you mean something like GET /api/tests?from=1&to=10%E2%80%98%20UNION%20SELECT%201%2C2%2C3%2C4%2C5%2C6%2C7%20--%20- (This is ‘ UNION SELECT 1,2,3,4,5,6,7 -- - in URL encoding) And this gives somewhat the same error "SELECT tests.name,tests.author,tests.status,tests.updated_at,tests.link,users.id,users.full_name FROM tests LEFT JOIN users ON tests.author = users.id WHERE tests.status = 1 LIMIT 1, 10'UNION SELECT 1,2,3,4,5,6,7 -- - - parameters:[]","fatal":false,"errno":1064,"sqlState":"42000","code":"ER_PARSE_ERROR"}
    – ewondles
    CommentedAug 10, 2024 at 9:14
  • @Ja1024 Following the advice from github leads to a similar result: "SELECT tests.name,tests.author,tests.status,tests.updated_at,tests.link,users.id,users.full_name FROM tests LEFT JOIN users ON tests.author = users.id WHERE tests.status = 1 LIMIT 1, 10' procedure analyse(extractvalue(rand(),concat(0x3a,version())),1) - parameters:[]"
    – ewondles
    CommentedAug 10, 2024 at 9:17
  • You sure the endpoint is vulnerable?
    – Sir Muffington
    CommentedAug 10, 2024 at 10:47
  • Your input still contains the single quote from your initial test. You need to get rid of this. Besides that, don’t expect this to be a trivial challenge which can be solved on the first attempt. You have to be willing to try things out, analyze the exact error (e. g., by running the query against a local test database), make adjustments, try again etc.
    – Ja1024
    CommentedAug 10, 2024 at 10:47

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.