-
Notifications
You must be signed in to change notification settings - Fork 104
Test 6) SQL Injection
Yalçın YOLALAN edited this page Mar 28, 2018
·
3 revisions
Vulnerability Type Dynamic
Test Web Service URI http://[yourhostName]/Sqli.asmx?WSDL
Vulnerable Code Block This method gets username from database for the given id and return it. It does not validate/sanitize the id parameter:
public string SQLInjectMe1(string id, int x)
{
string result = string.Empty;
string query = "SELECT * FROM Users WHERE Id=" + id + "";
DBHelper db = null;
try{
db = new DBHelper();
SqlDataReader dr = db.getDataReader(query);
if (dr != null)
{
//return username
if (dr.Read())
{
result = dr["UserName"].ToString();
}
dr.Close();
}
} catch (Exception ex){
result = ex.ToString();
} finally {
if (db != null) db.closeConnection();
}
return result;
}
Attack Payload '
Vulnerable Method Name SQLInjectMe1
Vulnerable Parameter Name id
Response
System.Data.SqlClient.SqlException (0x80131904): Unclosed quotation mark after the character string ''.
Incorrect syntax near ''.
Indications of Vulnerability
Web server returned: Http status code is 200 (i.e. OK - The request has succeeded).
Attack payload causes getting directly database exception. This behaviour indicates that error based SQL Injection vulnerability’s probability is high.
- To test Sqli.asmx you could use Sqli-test-table-creation-script.sql (under WSSAT/WebService2Test/ directory)
- Home
- Installation
- Usage
- Default Parameter Values
- Scope
- Donation
-
Testing Activities
- XML Bombs
- External Entity Attacks
- Insecure Communication
- Insufficient Authentication Test
- Cross Site Scripting
- SQL Injection
- XPATH Injection
- Verbose SOAP Fault Message
- Weak WS-SecurityPolicy: Insecure Transport
- Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
- Weak WS-SecurityPolicy: Tokens Not Protected
- Weak XML Schema: Undefined Namespace
- Weak XML Schema: Unbounded Occurrences