SQL Injection in Forget Password Function

khaled gaber
Jul 18 · 3 min read

This is my first time on Medium and I wanted to share with you my first SQL injection bug reported to a private bug bounty program let’s name it “example.com” which I discovered in forget password function which I usually look for logical bugs in this function instead of SQLi.

Enumeration Phase

First, try to test the normal behavior of any function before starting to manipulate the input parameters or thinking of how to abuse it, this will make your hunting life much easier and identify the bugs much faster.

Testing the normal behavior by submitting an already existed user email and the response was

And when submitting an email like “idontexist@test.com” the response was

Now the time comes for our SQLi testing. first, I tried to end my input with a single quote and the response was “Unable to access data” which was very suspicious.

Knowing that when single quote repeated twice is treated as a literal character, not a special one, I ended my input with two single quotes like [ test@test.com’’ ], Then we had the normal response of the non-existed mail and this was close to prove that this function is vulnerable to SQLi. Also, this clarifies the importance of understanding the application’s behavior and normal response messages.

One of the most important web application enumeration steps is to identify the back-end language and technologies and this sometimes leads to expecting the DBMS engine. From web page extensions like “RetrievePassword.aspx”, the pentester identified that back-end language is “ASP.NET” which always comes with MSSQL server as a DBMS engine. This little piece of information made the exploitation very easy to craft targeted payloads.

Exploitation Phase:

The basic SQLi exploitation steps are to break the query which we did with single quotes then fix the query with a comment character, then inject anything in between.

After trying a couple of payloads and special characters we were able to inject and fix our query with a payload like the following one [ test@test.com’) — ]

Now I can finally exploit this SQLi vulnerability and started with a simple technique called “Time-Based” which delays the database server responses with a specific amount of time. (WAIT FOR DELAY ‘hh:mm:ss’) is a MSSQL function that suspends the execution for the specified amount of time

as a PoC I was able to delay database server responses up to 30 seconds using the following payload [ anyInput’) WAITFOR DELAY ‘0:0:30’ — ]

Attack Automation:

Since it’s a Time-Based SQLi, it’s very hard to make the exploitation and data exfiltration manually and here “SQLMap” comes to rescue to automate this process.

Submit this vulnerable request and intercept it with “Burp Suite” proxy tool, replace the “E-mail” value with an “*” to be detected by SQLMap as a custom injection point, and save this request.

After a couple tries with SQLMap options, the final command that was used to exploit this SQLi and extract the Database names was:

The next steps are to identify the application database then tables and columns then dump data of the juicy columns like usernames, emails, and passwords which were saved as a clear-text format.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade