HELLO.
I scanned my website with this scanner never used before and this is below it gives me the result:
<< Blind SQL injection was found at: "localhost/index.aspx", using HTTP method POST. The sent post-data was: "...ddOptionspassword=1 or pgsleep(5)...". This vulnerability was found in the request with id 245. >>
While observing the above results provided by the scanner "w3af," I wonder how translated or convert this result into a link that I can try and use my browser just to find the error ???
Should I: localhost/index.aspx/pgsleep (5) or localhost/index.aspx/...ddOptionspassword=1 ???
Give me an idea to find the correct ideal link that will allow me to find the SQL error in my web browser by following course the above result provided by the scanner "w3af" ???
Thanks.
3 Responses
Some Results are false positives but should incase it were true.
Scanners sometimes inject queries to see if the parameter is vulnerable.
Why don't you sanitize your id parameter.
Maybe, that should help
#Sky
In addition to Sky Venom, false positives can usually be dead ends. Don't go chasing the rainbow.
The short answer is you probably won't be able to simply use your browser to find the error.
Your results states the SQLi was found using HTTP method POST. POST requests submit data in the body of the request to be processed and aren't exactly viewable in your browser. GET request, request data in the URL from the server to view on the page. You can't always convert POST requests to GET requests for being viewed. I don't think this is going to get you what you are looking for anyway.
You won't be able to view the SQL error because there isn't one. Looking at your results the SQLi seems to be a time based blind SQL injection. In this kind of SQLi you ask the application a true or false statement (boolean) and say if the statement is true wait 5 seconds to respond. So the injection is based on the amount of time the application takes to respond. Similar to what others have stated this kind of injection is prone to false positives. Still always worth looking into though.
Since the SQLi is based on the amount of time it takes the application to respond anything that delays the response may trigger a false positive. You could increase your delay for more reliable results, try the SQLi several times to confirm, and use another tool to verify the injection. OTW created some tutorials on getting started with sqlmap, a great tool for sql injection testing. See if you can enumerate data from the database, be careful though.
https://null-byte.wonderhowto.com/how-to/db-hacking/
Share Your Thoughts