SQLI through User Agent

SQL injection through User-Agent | by fr0stNuLL - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original SQL injection through User-Agent Hi everyone, in this simple tutorial I will describe how I was able to exploit a SQL injection, using the user-agent as vector. First of… fr0stNuLL Follow ~4 min read · May 8, 2019 (Updated: December 9, 2021) · Free: Yes Hi everyone, in this simple tutorial I will describe how I was able to exploit a SQL injection, using the user-agent as vector. First of all, I will leave "blur" in the sensitive parts as it was requested from the customer of the private program. After authenticating in the application I came across the following request: After, try several things .. and application always return "OK" in the response .. I put a single quote (') in the U ser-Agent Header .. result, instead of the application return 200 OK, returned 401 .. as demonstrated below: Next step was trying to exploit some SQL injection payloads, after a few tries it sees that the application was vulnerable to a type of SQL injection Boolean based . Putting the tests into practice, when the payload ' AND' 1 '=' 1 was inserted into the User-Agent the application returned 200 OK, when the payload ' AND' 1 '=' 2 was entered the application returned 401. The images below illustrate the fact: After confirming that the application was vulnerable, the next step was to try to verify which version of the database the application was using. For this, I have tested functions of the Oracle , MySQL , MicrosoftSQL etc. databases. Finally, through the payload ' and substring(@@version,1,1)=1=Ƈ'', it was possible to identify that the database was MySQL or MariaDB. The images bellow show the fact: OBS: if you don't know what the function substring here you can found :) After iterates the values of substring function i got the version i it was 10.1.21 Mariadb. A cool trick when you find a Boolean based , is to test if there is a possibility of using a " subselect ", in my case it was possible. To get the name of the table, it is necessary to make a wordlist with some familiar names and it is also cool, to make a wordlist with the name of the company. Through the following payload ' AND (select 1 from "WORDLIST" limit 0,1)=1+' , it was possible to get the name of the table " app_user ", see that in the image the below is returned 200 OK in the response of the server. Now, that we have the name of the table, we go behind the name of the columns so we can get the user and the password. In the same way that it was exploited to get the table name, an attempt / error is also used here with common names used in colums such as user, password, user_pass, passwd, etc. The following images illustrate the name of the retrieved columns. Finally, the following payload looks for the "password" column in the "app_user" table where the user id is equal to 'X' and brings the user password in the application. Return 200 "OK" for user id 971 Return 401 for user id 972 This is all personal, I can not show the rest with the passwords in the application because it would violate some terms :) any doubt we are together. Sharing is Caring :) #bug-bounty #pentesting #hacking Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).