Search code examples
sqlsql-injection

What kind of Database is this and could be sql injection?

I have my new website which manage by private company.

This morning I accidently put Double Quote in url (") and become error as below:

URL: http://domain.com/sys.aspx?page=5&search=1"

Server Error in '/' Application.

Syntax error near '"' in the full-text search condition '1"'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Data.SqlClient.SqlException: Syntax error near '"' in the full-text search condition '1"'.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 


[SqlException (0x80131904): Syntax error near '"' in the full-text search condition '1"'.]
   System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +212
   System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +245
   System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2811
   System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +58
   System.Data.SqlClient.SqlDataReader.get_MetaData() +112
   System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +6281668
   System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +6282737
   System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +424
   System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +28
   System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +211
   System.Data.SqlClient.SqlCommand.ExecuteReader() +117
   Pazar3.list.Page_Load(Object sender, EventArgs e) in E:\mudi\ker_ss\Solution\trunk\sys.aspx.cs:119
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
   System.Web.UI.Control.OnLoad(EventArgs e) +132
   System.Web.UI.Control.LoadRecursive() +66
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428

Version Information: Microsoft .NET Framework Version:2.0.50727.4984; ASP.NET Version:2.0.50727.4971

My question is what kind of database is this and could be SQL INJECTION?

Solution

  • I just call them and they tell me 'we use mysql'. Is that correct?

    It's possible they use both MySQL and SQL Server at their site. Not likely -- but possible.

    I think it's more likely that they simply made a mistake. I have heard a few IT people say "MySQL" when they actually use Microsoft SQL Server.

    The error message, Syntax error near 'XXXX' in the full-text search condition 'YYYY', seems like a Microsoft SQL Server error message. If you search StackOverflow for that error message (minus the specific pattern), you'll find only Microsoft SQL Server issues.

    You can use double-quotes inside a pattern with the CONTAINS() function, so you can search for phrases (see examples here). I assume the CONTAINS() function doesn't like it when your pattern includes unbalanced double-quotes, and it throws an exception.

    Also, the class System.Data.SqlClient seems like a .NET class, and it's more common to use .NET with a Microsoft SQL Server back-end instead of a MySQL back-end (though the latter is possible, it's just not as common).

    MySQL also has a fulltext search function, but MySQL doesn't throw an error if you feed it an unbalanced double-quote in the search pattern.

    They might be using MySQL for other parts of their site, but the error you saw appears to be a Microsoft SQL Server error.

    Is it an SQL injection vulnerability? Not necessarily. Their application might be passing the pattern safely using a prepared statement and a query parameter for the search pattern. So it may not be at risk for SQL injection per se (i.e a user can't submit a string that makes the query do something other than search for a pattern), but the application doesn't prevent the user from submitting invalid search patterns that result in an exception.

    In short, we can't tell for certain from the error message whether it's an SQL injection vulnerability or not, because one could get the same error even if the query is executed with parameters.