SQL Injection

[drsaluml]

[OzanKurt]

Did you try using sqlmap to see what you can do? http://sqlmap.org/

[OzanKurt]

@yajra This might be important.

[yajra]

@drsaluml what version are you using? I suspect you are using an older version so please update to the latest available. As far as I remember, I already added a direction strict comparison which only accepts desc or asc. If nothing matches, it will default to one of them (I think the default is asc).

[yajra]

Also, make sure that APP_DEBUG is false on production with DATATABLES_ERROR value set to some custom message.

[yajra]

@OzanKurt tried the link you provided and I think the package passes. See result below:

heuristic (basic) test shows that GET parameter 'order[0][dir]' might not be injectable
[08:48:41] [CRITICAL] all tested parameters do not appear to be injectable.

   python sqlmap.py -u http://tenant.test\?order\[0\]\[column\]\=6\&order\[0\]\[dir\]\=desc\&start\=0\&length\=25\&search\[value\]\=

        ___
       __H__
 ___ ___["]_____ ___ ___  {1.3.11.5#dev}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:48:11 /2019-11-06/

[08:48:11] [WARNING] provided value for parameter 'search[value]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[08:48:11] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('XSRF-TOKEN=eyJpdiI6Ijd...ZDFkIn0%3D;laravel_session=eyJpdiI6Imh...E3NWQ2YyJ9'). Do you want to use those [Y/n] y
[08:48:13] [INFO] testing if the target URL content is stable
[08:48:13] [INFO] target URL content is stable
[08:48:13] [INFO] testing if GET parameter 'order[0][column]' is dynamic
[08:48:13] [WARNING] GET parameter 'order[0][column]' does not appear to be dynamic
[08:48:13] [WARNING] heuristic (basic) test shows that GET parameter 'order[0][column]' might not be injectable
[08:48:13] [INFO] testing for SQL injection on GET parameter 'order[0][column]'
[08:48:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:48:13] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:48:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:48:14] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:48:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:48:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:48:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[08:48:14] [INFO] testing 'MySQL inline queries'
[08:48:14] [INFO] testing 'PostgreSQL inline queries'
[08:48:14] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:48:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:48:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:48:15] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:48:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:48:15] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:48:15] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[08:48:15] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[08:48:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[08:48:30] [WARNING] GET parameter 'order[0][column]' does not seem to be injectable
[08:48:30] [INFO] testing if GET parameter 'order[0][dir]' is dynamic
[08:48:30] [WARNING] GET parameter 'order[0][dir]' does not appear to be dynamic
[08:48:30] [WARNING] heuristic (basic) test shows that GET parameter 'order[0][dir]' might not be injectable
[08:48:30] [INFO] testing for SQL injection on GET parameter 'order[0][dir]'
[08:48:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:48:30] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:48:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:48:30] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:48:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:48:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:48:31] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[08:48:31] [INFO] testing 'MySQL inline queries'
[08:48:31] [INFO] testing 'PostgreSQL inline queries'
[08:48:31] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:48:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:48:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:48:31] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:48:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:48:32] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:48:32] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[08:48:32] [INFO] testing 'Oracle AND time-based blind'
[08:48:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[08:48:33] [WARNING] GET parameter 'order[0][dir]' does not seem to be injectable
[08:48:33] [INFO] testing if GET parameter 'start' is dynamic
[08:48:33] [WARNING] GET parameter 'start' does not appear to be dynamic
[08:48:33] [WARNING] heuristic (basic) test shows that GET parameter 'start' might not be injectable
[08:48:33] [INFO] testing for SQL injection on GET parameter 'start'
[08:48:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:48:33] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:48:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:48:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:48:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:48:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:48:34] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[08:48:34] [INFO] testing 'MySQL inline queries'
[08:48:34] [INFO] testing 'PostgreSQL inline queries'
[08:48:34] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:48:34] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:48:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:48:34] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:48:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:48:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:48:35] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[08:48:35] [INFO] testing 'Oracle AND time-based blind'
[08:48:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[08:48:35] [WARNING] GET parameter 'start' does not seem to be injectable
[08:48:35] [INFO] testing if GET parameter 'length' is dynamic
[08:48:35] [WARNING] GET parameter 'length' does not appear to be dynamic
[08:48:35] [WARNING] heuristic (basic) test shows that GET parameter 'length' might not be injectable
[08:48:35] [INFO] testing for SQL injection on GET parameter 'length'
[08:48:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:48:36] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:48:36] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:48:36] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:48:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:48:36] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:48:37] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[08:48:37] [INFO] testing 'MySQL inline queries'
[08:48:37] [INFO] testing 'PostgreSQL inline queries'
[08:48:37] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:48:37] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:48:37] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:48:37] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:48:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:48:37] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:48:37] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[08:48:38] [INFO] testing 'Oracle AND time-based blind'
[08:48:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[08:48:38] [WARNING] GET parameter 'length' does not seem to be injectable
[08:48:38] [INFO] testing if GET parameter 'search[value]' is dynamic
[08:48:38] [INFO] GET parameter 'search[value]' appears to be dynamic
[08:48:38] [WARNING] heuristic (basic) test shows that GET parameter 'search[value]' might not be injectable
[08:48:38] [INFO] testing for SQL injection on GET parameter 'search[value]'
[08:48:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:48:38] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:48:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:48:39] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:48:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:48:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:48:39] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[08:48:39] [INFO] testing 'MySQL inline queries'
[08:48:39] [INFO] testing 'PostgreSQL inline queries'
[08:48:39] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:48:39] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:48:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:48:40] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:48:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:48:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:48:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[08:48:40] [INFO] testing 'Oracle AND time-based blind'
[08:48:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[08:48:41] [WARNING] GET parameter 'search[value]' does not seem to be injectable
[08:48:41] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 08:48:41 /2019-11-06/

[OzanKurt]

@yajra If sqlmap can't make it. It's secure. :)

Thanks for not making me install python to my newly formatted pc.

[shuadoc]

There is a patch addressing this that was added in version 8.7.1 on Jul 5, 2018: #1792

A test case that failed before and passed after that version:

order[0][dir]=asc,(SELECT (CASE WHEN (2001=2001) THEN SLEEP(5) ELSE 2001*(SELECT 2001 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&start=0

(a delayed response indicates vulnerability)

Running sqlmap at version 8.13.7 and did not receive any results, while running a version earlier than 8.7.1 did