Sql Injection via hidden parameter

hajarerutik9.medium.com · kh4sh3i/bug-bounty-writeups · 19 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

A researcher discovered a SQL injection vulnerability in a trading company's reporting download endpoint via a hidden 'status' parameter that was discovered using parameter mining tools, exploitable through time-based blind SQL injection.

Tags
sql-injection hidden-parameter parameter-discovery time-based-blind-sql-injection sqlmap burp-suite parameter-brute-forcing web-application-security bug-bounty trading-platform
Entities
Rutvik Hajare OWASP sqlmap Burp Suite
Sql Injection via hidden parameter | by Rutvik - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Sql Injection via hidden parameter Hello Everyone, I am Rutvik Hajare and I am new in the cyber field.This is my first write-up on one of critical findings. usually i hate… Rutvik Follow ~2 min read · January 24, 2021 (Updated: December 28, 2021) · Free: Yes Hello Everyone, I am Rutvik Hajare and I am new in the cyber field.This is my first write-up on one of critical findings. usually i hate blog writing but anyways. SQL INJECTION: Ok everyone knows what is sql injection.For those who are new in this field or don't know what is it the Owasp has very good and short description about sql injection. Without wasting time get to findings. FINDINGS: The target was the trading company let's call it redacted.com, Without doing any kind of recon i simply register on target and it redirected to me on the dashboard. I refresh the page while running burp proxy for checking requests. After checking i found nothing interesting. But in web app their was another option where i can see/downloads my trading reports. I generate the example report and download it while running burp proxy. The interesting part i found that for downloading report web app was requesting for fetching the bank id, user id and etc. After lot of request checking i came up on the following request. To access the resource of the above request i've to provide the token ( which i don't have ) Then i stated directory bruteforcing on the above endpoint and found the valid directory "bankacc". But the response was empty. So i thought for finding hidden parameter and started param miner. And found the status parameter. i tried to send some arbitrary value and boom !! i got the sql error. I quickly injected 1' AND sleep(5) — payload in status parameter and yay i got the 5 sec delay and confirmed the vulnerability. Immediately I fired up sqlmap and pass this request to it ! Within a minute I dumped there all database :) !! Small tip never forget to try sql injection on hidden parameters. Hope you like this ! and sorry for bad English :) Thanks for reading !! Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories