The latest articles on DEV Community by Icy (@icyyy). https://dev.to/icyyy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3643529%2F13420ad6-9d8e-4713-94ad-b6207641be9c.png https://dev.to/icyyy en Icy Wed, 03 Dec 2025 14:41:25 +0000 https://dev.to/icyyy/is-sql-injection-dead-in-2025-finding-critical-bugs-in-item-pagination-1f6a https://dev.to/icyyy/is-sql-injection-dead-in-2025-finding-critical-bugs-in-item-pagination-1f6a <p><strong><em>Introduction</em></strong></p> <p>Many developers believe that in 2025, we are too advanced to see simple SQL Injection vulnerabilities anymore. Well, while browsing the functionalities of a well-known TF2 trading site, I discovered that old habits die hard.</p> <p><strong><em>How did I find the bug?</em></strong></p> <p>On the Item page there is a navigation feature allowing users to jump to a specific page of listings.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcwt3elf8ciwbtgle48d9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcwt3elf8ciwbtgle48d9.png" alt=" " width="296" height="42"></a></p> <p>Pressing the "..." button triggers a pop-up where you can manually input the page number. Naturally I wondered "Does it trust my input?".</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6hobcs35ggb1sjzn7jad.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6hobcs35ggb1sjzn7jad.png" alt=" " width="428" height="134"></a></p> <p>Instead of a number, I inputted the character "e". The application didn't handle it gracefully, instead of a generic 404 or soft error the site threw a Fatal Error exposing massive amount of sensitive information.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx6o8nbgncnx7sdumiy2y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx6o8nbgncnx7sdumiy2y.png" alt=" " width="800" height="30"></a></p> <p><strong>What did we get here?</strong></p> <ol> <li>Database Error Code: "SQLSTATE[42000]"</li> <li>Database Type</li> <li>Logic Leak: the error showed exactly where the input was processed (-25,25)</li> <li>Full Path Disclosure: (var/.../.../...php etc.)</li> <li>Internal Functions</li> </ol> <p>This "Information Disclosure" alone is critical. It tells an attacker exactly what technology stack is running and where the files are located. I wanted to see also if the input was actually interacting with the database logic.</p> <p><strong><em>The 0xC trick</em></strong></p> <p>To confirm if the input was being passed directly to the SQL query without proper sanitization, I tried a classic bypass. "0xC"<br> The result? The site processed it perfectly and loaded Page 12.<br> In decimal, 0xC equals 12.<br> This confirmed that the application was not strictly validating integers. It was accepting strings that "looked" like numbers (type juggling) and passing them straight to the database layer.</p> <p><strong><em>Second try, second vulnerability</em></strong></p> <p>To understand the scope, I started Burpsuite and tried to manipulate the request further. The request contained parameters that weren't visible in the UI. Changing parameter names I was able to trigger consistent SQL syntax errors across different modules.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F86ive586k4feva6tu2og.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F86ive586k4feva6tu2og.png" alt=" " width="346" height="164"></a></p> <p>While some developers argue that SQL Injection via passing integer values / LIMIT or OFFSET clauses is difficult to exploit, some resources prove otherwise. *check the resources down bellow</p> <p><strong>"Better be safe than sorry!"</strong></p> <p>I responsibly disclosed the vulnerability to the site's staff. Interestingly, despite having a Bug Bounty program, I was told the bug was "known" and "low risk". However shortly the issue was patched and the error messages were disabled. <br> The experience reinforced a valuable lesson: Input validation is non-negotiable, even for something simple, like a page number.</p> <p>Let me know what do you think, was it exploitable or not?</p> <p><strong>Resources &amp; References:</strong></p> <ul> <li><p><a href="https://infosecwriteups.com/exploiting-sql-error-sqlstate-42000-to-own-mariadb-of-a-large-eu-based-online-media-and-cf7396c43bbf" rel="noopener noreferrer">https://infosecwriteups.com/exploiting-sql-error-sqlstate-42000-to-own-mariadb-of-a-large-eu-based-online-media-and-cf7396c43bbf</a></p></li> <li><p><a href="http://www.davidlitchfield.com/Lateral_SQL_Injection_Revisited_Final.pdf" rel="noopener noreferrer">http://www.davidlitchfield.com/Lateral_SQL_Injection_Revisited_Final.pdf</a></p></li> <li><p><a href="https://sechow.com/bricks/docs/content-page-1.html" rel="noopener noreferrer">https://sechow.com/bricks/docs/content-page-1.html</a></p></li> </ul> sql web database security