Scribd
Upload
18 views2 pages

Challenge 9

This document describes an advanced SQL injection vulnerability on a web application. The vulnerability is in the URL parameter, which is not properly sanitized even though mysql_real_escape_string is used. This is because the input is URL decoded before being inserted into the SQL query. To exploit it, a payload of '+sleep(50)+' needs to be URL encoded and passed in the URL parameter. If the response takes over 50 seconds, it confirms the SQL injection vulnerability.

Uploaded by

Jhon Doe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views2 pages

Challenge 9

This document describes an advanced SQL injection vulnerability on a web application. The vulnerability is in the URL parameter, which is not properly sanitized even though mysql_real_escape_string is used. This is because the input is URL decoded before being inserted into the SQL query. To exploit it, a payload of '+sleep(50)+' needs to be URL encoded and passed in the URL parameter. If the response takes over 50 seconds, it confirms the SQL injection vulnerability.

Uploaded by

Jhon Doe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

SQL Injection Labs 1

Challenge 9

http://192.168.2.11/sqli/sql7/ [Level: Advanced]

 Which parameter is vulnerable?

url parameter is vulnerable.

 Provide test case to confirm the sql injection vulnerability

The application does a URL decode on the input. Note that the application uses
mysql_real_escape_string and the input is going as string; yet it is vulnerable.

The following code demonstrates this:

$comments=mysql_real_escape_string($_POST['comments']);

$url=mysql_real_escape_string($_POST['url']);

$query = "Insert into temp values('".$comments."','".urldecode($url)."')";

When you inject %2527; mysql_real_escape_string will not sanitize it as it is not a single
quote. When the sql is executed, the urldecode function converts %2527 to %27 which is
single quote and make it vulnerable.

We need to url encode our attack. As the injection is in Insert statement, we will have to use
time delay function. We can inject:

‘+sleep(50)+’

Now, we need to encode our attack:

url=%2Fsqli%2Fsql7%2Findex.php%2527%252bsleep%252850%2529%252b%2527

By Notsosecure Ltd. in collaboration with SecurityTube Training


SQL Injection Labs 2

You can verify that the response took over 50 seconds.

Further reading:

Some real world examples of such SQL Injection are listed below:

 http://www.securityfocus.com/archive/1/469258

 http://www.securityfocus.com/archive/1/480575

By Notsosecure Ltd. in collaboration with SecurityTube Training

You might also like