Tricky oracle SQLI situation

blog.yappare.com · devanshbatham/Awesome-Bugbounty-Writeups · 5 hours ago · research
0 net
AI Summary

A case study demonstrating Oracle SQL injection exploitation techniques using string concatenation operators and the rownum function to bypass filtering of CASE statements and special characters. The attacker enumerated column names and extracted data through blind SQL injection despite character restrictions on underscores, parentheses, whitespace, and other special characters.

Tags
sql-injection oracle-database blind-sql-injection sqli-exploitation parameter-injection character-filtering-bypass string-concatenation data-extraction penetration-testing bug-bounty
Entities
Oracle PostgreSQL IBM DB2 Informix pokleyzz yappare
Tricky Oracle SQL Injection Situation ~ Random stuff by yappare Skip to content Yeah..it is random.. Thursday, April 16, 2020 Recently I learnt few new stuff when solving SQL Injection found during pentest and also bugbounty. One of the new technique that seems new to me is the one that I learnt from my master, pokleyzz. This injection was found in a recent bugbounty program and the actual path/parameter were replaced. The injection was found on the "idNumber" parameter of the following endpoint /foo/?theName=YAP&idNumber=248001[here] Common payloads were performed on this target and initially, I found the following payloads were working to identify TRUE / FALSE condition /foo/?theName=YAP&idNumber=248001'+AND+'1'='1 TRUE /foo/?theName=YAP&idNumber=248001'+AND+'2'='1 FALSE and also able to use pipe operator too /foo/?theName=YAP&idNumber=248'||'001 TRUE /foo/?theName=YAP&idNumber=24'||'8'||'001 TRUE /foo/?theName=YAP&idNumber=24'||'X'||'001 FALSE With these conditions, I was able to narrow down the database used by this application to Oracle , PosgreSQL , IBM DB2 or Informix . At first, I thought this can be done using the same technique that I know: See : https://blog.yappare.com/2012/04/advance-oracle-blind-sql-injection.html However, the CASE() was not working. After few attempts, I stopped to figure out on using CASE() . Next, this technique was tried: See: https://blog.yappare.com/2017/03/blind-sql-injection-in-erim-not-sure.html No joy. Dead end. After almost two days of trying, I give up doing it myself and ask helps from few friends. No luck. I tried my last option, pokleyzz. In just less than an hour, he showed me the technique that can be used. /foo/?theName=YAP&idNumber=248'||||'001 As a result, I found " rownum " was accepted and this indicates the DBMS is Oracle . To reconfirm, the following was queried: /foo/?theName=YAP&idNumber=24800'||rownum||' The above payload result in the website displayed list of " theName " product that starts with " idNumber " 24800 Interesting! Now how we can at least extract data from this injection? Another blocker was identified. It seems the application filtered/replaced the following characters _ ( ) + . whitespaces While I found this seems another dead end, pokleyzz showed another brilliant way to extract the data using the following payload: /foo/?theName=YAP&idNumber=248'||||'001 - We found few column names which one of it was "username" Then final step was: /foo/?theName=YAP&idNumber=248001'and''||username||''like'% I ran the Intruder on the above attacking point and voila, got the username 😼 As always, pokleyzz is the best master I have. 💻 Bye. Share: Email This BlogThis! Share to X Share to Facebook Newer Post Older Post Home 0 comments: Post a Comment
← Back to stories