I am testing an eCommerce site for SQL injection vulnerability, and am uncertain what is going on.
When I put in ', it just says No match found for " ' ".
When I put in 'true, it brings up about 6000 items matching the word "true", such as "true mahogany shelf."
When I put in true, it brings up about 6000 items matching the word "true," as above.
When I put in ' or true, 35000 items come up, but it starts by listing the ones that match the word "true."
So I'm not sure what's going on. The fact that the matches went up by a factor of 7 on the last input implies to me that it's vulnerable, but the fact that it's still searching for the word "true" implies that it isn't.
I'm not sure how to continue penetration testing from this point. Any advice on what to read?
Aucun commentaire:
Enregistrer un commentaire