SQL Injection Scanner Report
[Link]
Summary
Overall risk level: Risk ratings: Scan information:
Critical Critical: 1 Start time: Apr 08, 2025 / [Link] UTC+03
High: 0 Finish time: Apr 08, 2025 / [Link] UTC+03
Medium: 0 Scan duration: 35 sec
Low: 0 Tests performed: 3/3
Info: 2 Scan status: Finished
Findings
SQL Injection CONFIRMED
port 4280/tcp
Vulnerable
URL Method Evidence Replay Attack
Parameter
Injecting the value ' in the id query parameter generated
the following error(s) in the response:
<b>Fatal error</b>: Uncaught mysqli_sql_exception:
You have an error in your SQL syntax; check the
id
[Link] manual that corresponds to your MariaDB server
[Link]/vulnerabilities/sqli/
GET (Query
version for the right syntax to use near
Parameter)
''1d3d2d231d2dd4''' at line 1 in
/var/www/html/vulnerabilities/sqli/source/[Link]
Request / Response
Details
Risk description:
The risk exists that an attacker gains unauthorized access to the information from the database of the application. He could extract and
alter information such as: application usernames, passwords, client information and other application specific data.
Recommendation:
We recommend implementing a validation mechanism for all the data received from the users.
The best way to protect against SQL Injection is to use prepared statements for every SQL query performed on the database.
Otherwise, the user input can also be sanitized using dedicated methods such as: mysqli_real_escape_string.
References:
[Link]
[Link]
Classification:
CWE : CWE-89
OWASP Top 10 - 2017 : A1 - Injection
OWASP Top 10 - 2021 : A3 - Injection
Spider results
Page Status
URL Method Parameters Page Title
Size Code
[Link] Vulnerability: SQL Injection :: Damn 3.97
GET 200
[Link]/vulnerabilities/sqli/ Vulnerable We KB
1/2
� Query:
[Link]
GET Submit=Submit Vulnerability: SQL Injection :: Damn 4.04
200
[Link]/vulnerabilities/sqli/ Vulnerable We KB
id=1d3d2d231d2dd4
Details
Risk description:
The table contains all the unique pages the scanner found. The duplicated URLs are not available here as scanning those is considered
unnecessary
Recommendation:
We recommend to advanced users to make sure the scan properly detected most of the URLs in the application.
References:
All the URLs the scanner found, including duplicates (available for 90 days after the scan date)
Website is accessible.
Scan coverage information
List of tests performed (3/3)
Starting the scan...
Spidering target...
Checking for SQL Injection...
Scan parameters
Target: [Link]
Scan type: Deep
Authentication: False
Scan stats
Unique Injection Points Detected: 2
URLs spidered: 2
Total number of HTTP requests: 102
Average time until a response was
45ms
received:
2/2
