Injecting a 7500$ worth database
Greetings to all those reading this article
I hope that my activeness on the blog is catering your knowledge craving. This article is about a tricky SQL injection that i found in one of highest paying programs on Hackerone. Offcourse for privacy purposes, we will not disclose the name of the program, so lets call it vulnsite.com
As you know that before working on a program, i thoroughly read its scope and initially look for sub domains. Similarly i did so with this one, and found a sub domain help.vulnsite.com . Since the best and fastest way to test a web application is to check all input parameter, I started digging. Once again, i am not skilled in finding out SQL injection vulnerabilities and i was not even looking for one rather i was looking peculiar errors that might help learn more about how the application works.
The web application had very few request patterns since it was a help site. And only two of them were throwing errors back. The pattern that caught my eye was one which was utilized by the user to comment on a certain ticket.
A typical comment request looked like this
POST /commentbox/add HTTP/1.1
Content-Length: 84
Content-Type: application/x-www-form-urlencoded
Referer: https://help.vulnsite.com/
Cookie: CraftSessionId=hjbt0tq872hlcmp8vohttrmfh7; CRAFT_CSRF_TOKEN=8a57b671def6d2579ee45a7dfcc11abc9112e2acs%3A40%3A%22swcDN4umz9jmgPD_cDqOICkkCsukvLOZyXTz%7EZ7T%22%3B;
Host: help.vulnsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /action=commentbox/add&comment=1&commentboxId=35&elementId=1&optionId=&rating=4
As you can see in the above request, there are few parameters in this request pattern which are communicating with the database query processors
Now tampering any of these with a conventional single quote returned an internal error, which meant a big NO NO for SQLi.
But i am not someone to go down without a fight, so i started iterating. What i noticed was that appending a double quote after a single quote in the elementId parameter did not show the internal server error at all. But it did not show the SQL error as well, so there was more work to be done. I then started to convert the payloads in their respective URI versions. And finally with the request such as the one below in which the single quote was in its original form and the double quote was in its URI format
POST /commentbox/add HTTP/1.1
Content-Length: 84
Content-Type: application/x-www-form-urlencoded
Referer: https://help.vulnsite.com/
Cookie: CraftSessionId=hjbt0tq872hlcmp8vohttrmfh7; CRAFT_CSRF_TOKEN=8a57b671def6d2579ee45a7dfcc11abc9112e2acs%3A40%3A%22swcDN4umz9jmgPD_cDqOICkkCsukvLOZyXTz%7EZ7T%22%3B;
Host: help.vulnsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /action=commentbox/add&comment=1&commentboxId=35&elementId=1'%22&optionId=&rating=4
I was able to achieve SQL error such as the one below
Internal Server Error
CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’” AND date = “2017–01–18” AND ipAddress =”196.44.110.41" ORDER BY date DESC’ at line 3
Then it was just a matter of doing some iterations in SQLMAP to make a good proof of concept which then resulted in a nice and quick response from the program team
I was rewarded 7500$ for the bug i found which was i think appropriate. One thing i have learned over the years is that if an application is tested thoroughly and with complete focus, there is always something that one can find, we just have to be willing to look into it a little deeper
I hope you liked this article of mine. Please let me know in the comments. I will post more proof of concepts soon enough. Thanks alot folks
