SQLI in forget password fucntion

SQL Injection in Forget Password Function | by khaled gaber - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original SQL Injection in Forget Password Function This is my first time on Medium and I wanted to share with you my first SQL injection bug reported to a private bug bounty program let's… khaled gaber Follow ~3 min read · July 18, 2019 (Updated: December 10, 2021) · Free: Yes This is my first time on Medium and I wanted to share with you my first SQL injection bug reported to a private bug bounty program let's name it "example.com" which I discovered in forget password function which I usually look for logical bugs in this function instead of SQLi. Enumeration Phase First, try to test the normal behavior of any function before starting to manipulate the input parameters or thinking of how to abuse it, this will make your hunting life much easier and identify the bugs much faster. Testing the normal behavior by submitting an already existed user email and the response was And when submitting an email like "[email protected]" the response was Now the time comes for our SQLi testing. first, I tried to end my input with a single quote and the response was "Unable to access data" which was very suspicious. Knowing that when single quote repeated twice is treated as a literal character, not a special one, I ended my input with two single quotes like [ [email protected] '' ], Then we had the normal response of the non-existed mail and this was close to prove that this function is vulnerable to SQLi. Also, this clarifies the importance of understanding the application's behavior and normal response messages. One of the most important web application enumeration steps is to identify the back-end language and technologies and this sometimes leads to expecting the DBMS engine. From web page extensions like "RetrievePassword.aspx", the pentester identified that back-end language is "ASP.NET" which always comes with MSSQL server as a DBMS engine. This little piece of information made the exploitation very easy to craft targeted payloads. Exploitation Phase: The basic SQLi exploitation steps are to break the query which we did with single quotes then fix the query with a comment character, then inject anything in between. After trying a couple of payloads and special characters we were able to inject and fix our query with a payload like the following one [ [email protected] ') — ] Now I can finally exploit this SQLi vulnerability and started with a simple technique called "Time-Based" which delays the database server responses with a specific amount of time. (WAIT FOR DELAY 'hh:mm:ss') is a MSSQL function that suspends the execution for the specified amount of time as a PoC I was able to delay database server responses up to 30 seconds using the following payload [ anyInput') WAITFOR DELAY Ɔ:0:30' — ] Attack Automation: Since it's a Time-Based SQLi, it's very hard to make the exploitation and data exfiltration manually and here "SQLMap" comes to rescue to automate this process. Submit this vulnerable request and intercept it with "Burp Suite" proxy tool, replace the "E-mail" value with an "*" to be detected by SQLMap as a custom injection point, and save this request. After a couple tries with SQLMap options, the final command that was used to exploit this SQLi and extract the Database names was: The next steps are to identify the application database then tables and columns then dump data of the juicy columns like usernames, emails, and passwords which were saved as a clear-text format. #security #sql-injection #bug-bounty #time-based Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).