Is SQL Injection dead in 2025? Finding Critical Bugs in Item Pagination
Source: Dev.to
Introduction
Many developers believe that in 2025 we are too advanced to see simple SQL injection vulnerabilities anymore. While browsing the functionalities of a well‑known TF2 trading site, I discovered that old habits die hard.
How did I find the bug?
On the Item page there is a navigation feature allowing users to jump to a specific page of listings. Pressing the “…” button triggers a pop‑up where you can manually input the page number. Naturally I wondered, “Does it trust my input?”.
Instead of a number, I entered the character e. The application didn’t handle it gracefully; rather than returning a generic 404 or soft error, the site threw a fatal error exposing a massive amount of sensitive information.
What did we get here?
- Database Error Code:
SQLSTATE[42000] - Logic Leak: The error showed exactly where the input was processed (e.g.,
-25,25). - Full Path Disclosure: File paths such as
var/.../.../...phpwere revealed. - Internal Functions: Details about the technology stack and file locations were exposed.
This information disclosure alone is critical because it tells an attacker exactly what stack is running and where the files are located.
The 0xC trick
To confirm whether the input was being passed directly to the SQL query without proper sanitization, I tried a classic bypass using 0xC.
Second try, second vulnerability
To understand the scope, I started Burp Suite and manipulated the request further. The request contained parameters that weren’t visible in the UI. By changing parameter names, I was able to trigger consistent SQL syntax errors across different modules.
While some developers argue that SQL injection via integer values, LIMIT, or OFFSET clauses is difficult to exploit, several resources prove otherwise (see references below).
Disclosure
I responsibly disclosed the vulnerability to the site’s staff. Although the site has a bug bounty program, I was told the bug was “known” and “low risk”. Shortly thereafter, the issue was patched and the error messages were disabled.