Injecting tourism website running codeigniter

Vulnerables
Sep 12, 2018 · 2 min read

Hello Injetors! This story will be about the SQL injection we’ve found in the website called https://www.gujarattourism.com which was running on unsanitized codeigniter. The injection is simple as other PoCs but since it was runnning on codeigniter framework we’ve decided to share the process.

Vulnerability: SQLi (WAF)
Severity: High
Owasp rank: (OTG-INPVAL-005)

In the below snapshot you can see from the wappalyzer that website is running codeigniter.

Wappalyzer

SQL injection (Patched)

The website was vulnerable to XSS and their admin panel was also accessible but not vulnerable so after some manual spidering of the website it leads us to these page.

So below are the steps to reproduce the SQLi vulnerability

  • Here 6,7,8,10,14,11,12,13 columns are vulnerable.
  • As there is administrator table available you can retrieve the admin credentials with below query
  • You’ll get the credentials in the hash format but they’ve hide the admin panel after few days.
Credentials

Below is the Proof of concept (PoC) video.

Proof Of Concept
  • Attacker can perform DIOS queries and can check file privileges, upload the shell or deface page via OUTFILE, perform code execution etc. Below is the screenshot of b374k mini 1.01 shell.
Shell
  • And at last the vulnerability was reported to all concerned contacts like Minister, principle secretary, MD even chairman but there was no response from them so it triggered a very uncomfortable feeling and I was like …
  • But after few months they removed the vulnerable page maybe because they’ve noticed the reports.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Vulnerables

Written by

Vulnerabilities | Write-ups | Publication link is below | https://medium.com/vulnerables

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade