Using user agent & inputs for SQL injection with ModSecurity WAF

Question

I'm trying to test a challenge website using ModSecurity as a WAF. When I put ' in the user agent I got an error from MySQL.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''')' at line 1

Now I'm trying to exploit it with this header:

User-Agent: brick') order by 15 --+ 

The result is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 1

i found another input that is vulnerable to sql injection too i think maybe it's easier to be exploited ...

' order by 15 --+

i tried to inject like this example and it works the result

Unknown column '15' in 'order clause' etc..

but when i tried order by 2

i got this result :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 2 -- ', '', '', '', '5', 'Lbs', '', 'Mozilla/5.0')' at line 1 

Any ideas on how to exploit ?

Answer 1

The error you get is from MySQL, not from modsecurity. It informs you that the SQL statement the server has constructed is invalid.

For example, maybe the SQL query is contructed like this:

UPDATE clients SET useragent='$useragent' 

With your example, this would become

UPDATE clients SET useragent='brick') order by 15 --+' 

This is clearly invalid, because of the parenthesis.

To exploit this, you either need to know the exact query or you need to guess the query and try some different values.