Reported error code considered SQL Injection?

Question

SQL injection that actually runs a SQL command is one thing. But injecting data that doesn't actually run a harmful query but that might tell you something valuable about the database, is that considered SQL injection? Or is it just used as part to construct a valid SQL injection?

An example could be

set rs = conn.execute("select headline from pressReleases 
where categoryID = " & cdbl(request("id")) )

Passing this a string that could not be turned into a numeric value would cause

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'cdbl'

which would tell you that the column in question only accepts numeric data and is thus probably of type integer or similar.

I seem to find this in a lot of pages discussing SQL injection, but don't really get an answer if this in itself is considered SQL injection. The reason for my question is that I have a scanning tool that report a SQL injection vulnerability and reports a VBScript runtime error '800a000d' as the reason for the finding.

Answer 1

I'd say yes! You inject an SQL string and get information you aren't supposed to get. I think that's already "harmful" enough.

Answer 2

This is clearly an SQL injection vulnerability, and it needs to be fixed.

There are a few reasons for this in your scenario:

• Finding out incidental information such as you describe may be useful to an attacker, particulary if they have other attack vectors.
• An attacker finding this vulnerability would be encouraged to go look for some more. Sloppy here may mean sloppy elsewhere.
• In security it is important not to be too clever. Your attacker may know a lot more, or something more, than you do. So what may look to you like a contained vulnerability may be an open door to soneone else.

So yes, your tool is doing the right thing.