Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Error based SQL injection" module is designed to detect potential SQL injection vulnerabilities in 29 different database engines. It targets misconfigurations that can lead to unauthorized access and manipulation of data. This module is classified as a critical vulnerability with a CVSS score of 9.8.
This module was authored by geeknik.
A successful SQL injection attack can allow an attacker to execute arbitrary SQL queries on the target database, potentially gaining unauthorized access to sensitive data, modifying or deleting data, or even taking control of the entire database server.
The "Error based SQL injection" module works by sending HTTP requests to the target application with specific payloads that are designed to trigger error messages related to SQL syntax or database operations. The module then analyzes the response to determine if the error message indicates a potential SQL injection vulnerability.
For example, the module may send a GET request to the target application with the path "/'". It then checks the response for error messages that match predefined patterns, such as "SQL syntax error", "MySQLSyntaxErrorException", "PostgreSQL ERROR", or "Oracle error". If any of these patterns are found in the response, the module flags the target as potentially vulnerable to SQL injection.
The module uses a combination of word-based and regex-based matching conditions to identify potential SQL injection vulnerabilities. It checks both the body of the response and all parts of the response for specific error patterns. The module also supports negative matching, allowing it to exclude certain error messages that may be false positives.
It's important to note that this module does not perform actual SQL injection attacks or exploit any vulnerabilities. It simply detects potential vulnerabilities by analyzing error messages in the application's responses.