Skip to content

Test 6) SQL Injection

Jump to bottom
Yalçın YOLALAN edited this page Mar 28, 2018 · 3 revisions

SQL Injection Test

Vulnerability Type Dynamic

Test Web Service URI http://[yourhostName]/Sqli.asmx?WSDL

Vulnerable Code Block This method gets username from database for the given id and return it. It does not validate/sanitize the id parameter:

public string SQLInjectMe1(string id, int x)
{
    string result = string.Empty;

    string query = "SELECT * FROM Users WHERE Id=" + id + "";
    DBHelper db = null;
    try{
        db = new DBHelper();
        SqlDataReader dr = db.getDataReader(query);

        if (dr != null)
        { 
            //return username
            if (dr.Read())
            {
                result = dr["UserName"].ToString();
            }
            dr.Close();
        }

    } catch (Exception ex){
        result = ex.ToString();
    } finally {
        if (db != null) db.closeConnection();
    }
    return result;
}

Attack Payload '

Vulnerable Method Name SQLInjectMe1

Vulnerable Parameter Name id

Response

System.Data.SqlClient.SqlException (0x80131904): Unclosed quotation mark after the character string ''.
Incorrect syntax near ''.

Indications of Vulnerability

Web server returned: Http status code is 200 (i.e. OK - The request has succeeded).
Attack payload causes getting directly database exception. This behaviour indicates that error based SQL      Injection vulnerability’s probability is high.
  • To test Sqli.asmx you could use Sqli-test-table-creation-script.sql (under WSSAT/WebService2Test/ directory)
Clone this wiki locally