Is this SP safe to SQL Injection?

CREATE PROCEDURE [sp_Test] (
     @param nvarchar(Max)
) AS BEGIN

DECLARE @Output nvarchar(Max) = 
N’Select ‘ + @param

Select @output
Return

Intended Use

exec sp_test ‘5’

Returns “select 5”

Malicious Use

exec sp_test ‘5; drop database’

Returns(would be safe):
“select 5; drop database“

—-OR—-

Returns(not safe):
“select 5”
…but also actually dropping the database

MS SQL Server

Go to Source
Author: Donnie

Why SQLMap Doesn’t Attack Specified Parameter?

I am new to SQLMap. I have setup Kali and OWASPBWA VM. Both VMs are on same NAT Network set in VirtualBox.

When I try to run following command:

sqlmap -u "http://<IP_ADDRESS>/mutillidae/index.php?page=user-info.php?username=111&password=bbb&user-info-php-submit-button=View+Account+Details" -p username

I get following messages:

  • Previous heuristics detected that the target is protected by some kind of WAF/IPS.
  • Multiple messages – Unable to connect to the targeturl. sqlmap is trying to reconnect.
  • heuristics test shows that GET parameter ‘username’ might not be injectable.

There are several YouTube videos which display same setup with above 2 VMs, and are able to run the command and find injection in username parameter. What am I doing wrong? Please help.

Go to Source
Author: Amit

Can someone Inject malicious SQL to my SQL query?

I build a simple chat with MySQL. It has a table called users and two colums: id and username. I use the following query to extract username and ID by ID.

Is there a way someone can Inject malicios SQL ? and How ?

Limit is used to only allow 1 result to come out

$query = 'SELECT id, username FROM users WHERE id=' . $id . ' LIMIT 1';

Go to Source
Author: harabatahat

SQLMap Only Returns information_schema

I run this command python sqlmap.py -u https://acme.com/post.php --data "id=1" --tamper="between,randomcase,space2comment" -v 3 --random-agent --dbs but SQLMap only returns information_schema database.

Is there something wrong (if so, is there anything I can do to circumvent it ?) or the database really only has 1 database ?

Go to Source
Author: maximillian1

How to determine possible SQL injection vulnerability?

I ran the OWASP SQL injection scanner tool on a website’s sign-in page I formerly operated and two vulnerable parameters displayed. The first parameter was “returnURL” and the second one was “isLogin” showing POST DATA: IsLogin=true AND 1=1 —

What does this mean and how do I exploit this for testing purposes and ultimately fix the potential error? Should I use a Kali tool such as MySQL or do you have other suggestions?

Go to Source
Author: thenewcoder

How to reproduce SQL Injection problem by sending single quote in MySQL?

This is Damn Vulnerable Web Application (DVWA) and it’s vulnerable to SQL injection (SQLi).

Let’s begin by sending normal request

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

Output via browser

ID: 1
First name: admin
Surname: admin

This is how the request looks like in MySQL

mysql> SELECT first_name, last_name FROM users WHERE user_id = '1';
+------------+-----------+
| first_name | last_name |
+------------+-----------+
| admin      | admin     |
+------------+-----------+
1 row in set (0.00 sec)

mysql> 

Common way to identify SQL injection is by sending single quote ' char in the parameter.

E.g. id='

Give it a try on the url and it works.

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id='&Submit=Submit#

Web browser will display SQL error indicates that the site is vulnerable to SQLi

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

I didn’t know how the query looks like in MySQL ..

So I’ve tried SELECT first_name, last_name FROM users WHERE user_id = '''; but I didn’t get the same error.

Instead, I was getting '> symbol from MySQL shell.

mysql> SELECT first_name, last_name FROM users WHERE user_id = ''';
    '> 
    '> 
    '> '
    -> 
    -> ;
Empty set (0.00 sec)

mysql> 

What is the right way to query id=' or user_id = ' (single quote) request in MySQL?

Go to Source
Author: Wolf