Hello All, thank you for passing by.
This is my first article on Medium, I normally hate writing blogs these days as I’m very active on twitter sharing my bugbounty experience and tips If I find it interesting. I’m not a good writer as well, if you find typos or grammatical errors please pardon me.
I have a personal blog https;//www.nav1n.com where I used to write articles on HackTheBox and TryHackMe, but completely stopped almost 3years ago. So, this should be my second attempt to start the blogging.
This is the story of an SQL injection I found on a Multi-Billion Dollar Retailer’s country specific eStore and its user experience enhancement program. During the reckoning I later found the entire group’s websites are vulnerable to this specific issue with one single parameter that lead me try different things and ultimately owning their multiple database servers using simple SQL injection and possible RCE on some of them.
I didn't use any major tools or techniques, but the one each and every bug bounty hunter uses everyday.
Keep reading the story of one of my best discoveries ever (I guess!). The post I believe is a little lengthy, skip the beginning part if you do not wish to read the blah-blahs.
disclaimer: Below article is for educational purpose only. I’m no way endorse the hacking or unethical ways to hack/test a website unless you have obtained a permission to do so.
The Enumeration Phase
I was going through a YouTube video recently on a specific reckon process where the presenter mentioned about his discovery of some RCE and SQL injections from a private BB target. He said, he found those targets using simple Google dorks like site:..xx inurl:bug inurl:bounty site:..xx.xx intext:security report reward site:..xx intext:security report reward. Being a bug-hunter for years, I knew about these dorks but never tried in real life.
I ran some of the dorks and found hundreds of targets, but most of them are VDPs with HoFs and no rewards, I kept looking and found this non-English target. They had a security.txt page which said the scope applies to all their group of companies’ web assets including the international ones. The reward table said, they offer up to 3.5K EUR for SQLi and RCE and 500 for XSS etc, I decided to work on this target hoping to find some SQLi or RCE/ CVEs etc.
Finding an SQL Injection
I know its easy to find SQL injection than RCE, so my initial target was SQL injection attacks.
1 Subdomain Enumeration:
My methodology is to find as much as subdomains as possible if the target is huge and allows subdomain enumeration. To enumerate subdomains, I prefer Netlas, crt.sh and securitytrails.com.
I agree that securitytrails service charge is every expensive if you compare it to a lot of alternatives, but their free tier gives 50 API runs with unlimited subdomain search per month.
2 Certificate transparency search:
At first, I started to enumerate the subdomains using certificate transparency tools like crt.sh and netlas. Both of them together got me around 4961 (sub)domains under the Group Name.
Netlas:
Sample netlas query to find certificates:
https://app.netlas.io/certs/?q=certificate.subject.organization%3A%22Microsoft%20Corporation%22&page=1SecurityTrails:
Once I have the list from the CT, I head to SecurityTrails, which I use the following curl command (Not mine, I found in a discord server) to find subdomains of their main website.
curl -s --request GET --url https://api.securitytrails.com/v1/domain/target.xx.xx/subdomains?apikey=*****
| jq '.subdomains[]' | sed 's/\"//g' > target.xx.xx.txt 2> /dev/null
&& sed "s/$/.target.xx.xx/" target.xx.xx.txt | sed 's/ //g'The script returns around 2k subdomains. I copied all of them to my excel and filtered the duplicates.
Funny part, I still use excel to remove duplicates from my huge lists, I believe this is the best and efficient way, at lest for me ;)
3 HTTP Probing:
Now I have exactly 3154 unique subdomains, I copied them to my Kali machine and ran the HTTPx against them, in return, I got 2892 urls in the basket that are ready for further attacks.
URL List >> ParamSpider.py:
By far the ParamSpider by @0xAsm0d3us is considered as one of the best Parameter fuzzer tools or miners whatever you call. I as well use Arjun by @s0md3v, but honestly I feel a little more comfortable with PS.
Since my target is huge and ParamSpider by default supports only a single url (Do not understand why you do this to us @0xAsm0d3us) so I had to find an alternate way to achieve this.
I found a peace of script with my old friend. This script takes a list of urls and sends it through xrags removes duplicates and gives you a list. However, I had some errors while running, but the list a ready.
Scanning multiple urls/ list of urls using ParamSpider:
cat target.lst | xargs -n 1 -I {} python3 ~/ParamSpider/paramspider.py --domain {} --level high | urldedupe >> all_spiderparamters.txtThe results ware shocking, I now have a whooping One million, seven hundred and ninety six thousand, one hundred and forty nine (1,796,149) lines…
The file size itself is ~96mb. I tought its not a wise idea to run all of them through BurpSuite or SQLMAP because the Kali and the host will eat-up a lot of resources and eventually crash, so I decided to break the files into multiple smaller size files of 10mb each and work on them one by one.
I setup my Burp Suite and started scanning the small list. I started to get a lot of low hanging issues like open-redirect, CORS, and even a few XSS, but no high or critical issues.
I didn't get major vulns in the first file, so I let the Burp to do its job on the second file and took my wife and kids for a weekend dinner. When we return after 3–4 hours, the burp was still running but there was a red exclamatory icon was flashing with issue type (SQL Injection).
The burpsuite finally found boolean based sql injection for me. I checked the server and its Apache. sent the vulnerable url to repeater with multiple sleep queries like: `MSUyN1hPUiUyOFNFTEVDVCUyODElMjlGUk9NJTI4U0VMRUNUJTI4U0xFRVAlMjg4JTI5JTI5JTI5YSUyOVhPUiV1MjAxOVolMkMlMjAxJTI3JTIwT1JERVIlMjBCWSUyMDEtLSslMkMlMjAxJTIwb3IlMjBzbGVlcCUyODUlMjklNjAlNjA=, but sadly I was getting a JSON message saying: “Success” from the server. It seems the WAF/Server was doing some kind of sanitation of known SQLi payloads.
4 First Breakthrough
I spent an hour trying different methods to see at least an error or execute sleep, nothing worked. The GET request didn't work, I decided to change the request to POST and sent the simple payload 1=1' as a value for the parameter, and voila here I got the following error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1=1'’))
Now I know the SQL Injection is possible on this site. Before moving to SQLMAP, I wanted to see how many endpoints using this vulnerable parameter, so I extended my search in the Kali and grepped the parameter “xxx”. I found only 4 out-of 2892 geographically based subdomains are using this parameter. When I open the links to see if there is any forms or input fields, I was redirected to homepage. This confirmed the page is not active anymore.
When I checked on archive.org, found a cached version that showed me the page is kind of user experience enhancing suggestion page, most of them are in a alien language, I left the archive.org and head back to my Kali VM.
5 SQLMAP or Ghauri here is the Winner
I recently noticed SQLMAP is losing over the edge with Ghauri (https://github.com/r0oth3x49/ghauri). Not a single time but more than 4–5 times when SQLMAP fails, Ghauri get the exploit right within few minutes.
I copied the request into a file and run the SQLMAP with bare minimum -r request.txt -p xxx — random-agent flag, it failed to find the exploit, I got multiple errors, 500 4xx etc, but unfortunately SQLMAP failed me every time.
In my recent tweet I asked for a help from the community on a similar situation, there were some good suggestions, but none of them worked here except the one suggested to use Ghauri.
I sent the same request to Ghauri and here is the result. Ghauri took just 4 minutes to find the exploit for time-based blind SQL Injection and Boole-based blind.
6 Retrieving Database Name
Now the time to retrieve the database name to prove the exploit. I run the following command:
ghauri -r xxx -p xxx — dbms=mysql — dbsAnd here I ahve the nice beautiful xxxprod database name, which suggest the db is of a production database.
I run Ghauri on dirrent endpoints, and receiveed different database including a staging and uat.
Winner:
SQLMAP —o | Ghauri —1
I run the following command to retrieve the password hash.
ghauri -r xxx -p xxx — dbms=mysql -D xxxprod -T admin_passwords -C password_hash — dump
aaand here it is. I know have the admin password hash and the password which would let me own any of their database from 3 major estore.
I humbly sent them a detailed report on my findings and my analysis, I got the reply on Monday evening (time difference) asking to see if there are more vulnerable parts, but I couldn't find any.
Same night I got acknowledged about the acceptance of the vulnerability. They are internally discussing about the bounty and possibly applying the fix. I reported 4 SQL Injections, 3 XSS and an open-redirect, I’m expecting a payout of minimum 4.5 K EUR.
That’s all.
Takeaways:
1.Always go for a larger scoped target.
2.Make use of GoSpider, ParamSpider and Arjun.
- The Archive.org has more vulnerable endpoints cached then the live ones.
4.If the GET request didn't work, try POST and change the protocol to HTTP1/0 to 2/0 see if it helps.
Thank you for reading. Will comeback soon with another interesting story of multiple Log4Shell findings on a major Sports goods manufacturer’s webapp.