Hello Injetors! This story will be about the SQL injection we’ve found in the website called https://www.gujarattourism.com which was running on unsanitized codeigniter. The injection is simple as other PoCs but since it was runnning on codeigniter framework we’ve decided to share the process.
Vulnerability: SQLi (WAF)
Owasp rank: (OTG-INPVAL-005)
In the below snapshot you can see from the wappalyzer that website is running codeigniter.
SQL injection (Patched)
The website was vulnerable to XSS and their admin panel was also accessible but not vulnerable so after some manual spidering of the website it leads us to these page.
So below are the steps to reproduce the SQLi vulnerability
- Open http://www.gujarattourism.com/tourist_guide/related?d=1
- Append the ‘ sign or any to generate the error.
- Detect the total columns using order by method, Here there are 29 columns
- Find vulnerable column using below query
- Here 6,7,8,10,14,11,12,13 columns are vulnerable.
- Retrieve the tables and columns by firing below query.
- As there is administrator table available you can retrieve the admin credentials with below query
- You’ll get the credentials in the hash format but they’ve hide the admin panel after few days.
Below is the Proof of concept (PoC) video.
- Attacker can perform DIOS queries and can check file privileges, upload the shell or deface page via OUTFILE, perform code execution etc. Below is the screenshot of b374k mini 1.01 shell.
- And at last the vulnerability was reported to all concerned contacts like Minister, principle secretary, MD even chairman but there was no response from them so it triggered a very uncomfortable feeling and I was like …
- But after few months they removed the vulnerable page maybe because they’ve noticed the reports.
- Have a happy injecting 😃