I was asked by my friend to play around with his family's new website and report any bugs I may encounter. Going through the pages, I noticed one that very much looks like it's prone to SQL injection. I do not have access to the source code as it is hosted by a local website design company.
http://website.tld/product/1234/a-beautiful-vase
After playing around with the URL, I was able to get the exact same page with:
http://website.tld/product.php/id=1234
I replaced 1234 with 1234' and the website threw the following error:
Warning:
mysql_num_rows()expects parameter 1 to be resource, boolean given in/home/shop/public_html/product.phpon line 34Warning:
mysql_fetch_array()expects parameter 1 to be resource, boolean given in/home/shop/public_html/product.phpon line 40You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1234''' at line 1
I also tried replacing id=1234 with
id=1234 AND 1=1 (automatically encoded by the browser into id=1234%20AND%201=1) and id=1234 AND 1=2 (automatically encoded by the browser into id=1234%20AND%201=2). With both attempts, the web page succeeds to load the product page with two additional errors thrown:
Warning:
mysql_num_rows()expects parameter 1 to be resource, boolean given in/home/shop/public_html/product.phpon line 205Warning:
mysql_fetch_array()expects parameter 1 to be resource, boolean given in/home/shop/public_html/product.phpon line 217
The product page looks normal with the product information, weight, price, and image all correctly populated. There is no SQL syntax error. And that's where I got a little confused.
I also tried a bunch of other variations:
- id='1234%20AND%201=2yielded- ...to use near '1234%20AND%201'' at line 1
- id=1234'%20AND%201=2yielded- ...to use near ''' at line 1
- id='1234'%20AND%201=2yielded- ...to use near '1234'%20AND%201'' at line 1
- id=1234%20AND%20'1'=2yielded- ...to use near '1''' at line 1
However, id=1234%20AND%201='2 also renders the correct product page with the two PHP warnings same as above:
Warning:
mysql_num_rows()expects parameter 1 to be resource, boolean given in/home/shop/public_html/product.phpon line 205Warning:
mysql_fetch_array()expects parameter 1 to be resource, boolean given in/home/shop/public_html/product.phpon line 217
I guess my questions are:
- Is it possible, in this case, to perform SQL injection? I found extensive tutorials online explaining how to inject normal GET parameters. However, if I'm not much mistaken, .htaccess is used to rewrite the URL so would that prevent (or change) the procedure?
- Secondly, since the browser encodes special characters (for example spaces to %20), doesn't that mean MySQL will get something likeWHERE id='1234%20AND%201=1and cause a syntax error?
- Why did it yield the same result even when I tried adding AND 1=1andAND 1=2at the end of the id parameter?
- Why did id=1234%20AND%20'1'=2yield...to use near '1''' at line 1? I only put one single quote around 1 yet the error seems to indicate there are two additional single quotes after 1?
- The web browser (I'm using Google Chrome) doesn't seem to encode the =sign, yet manually changing it into%3Ddoesn't seem to make a difference in the outcome. Why is that?
Two additional points I'd like to point out:
- The PHP warnings thrown when there is an SQL syntax error and when there isn't are different, simply take a look at the line numbers. I'm guessing line 205 and 217 are queries used to find related products whereas the main query pulling up the id=1234 product is located around line 34-40.
- id=1234%20--renders the product page perfect with no error or warning at all.
