-

Story of SQL Injections on One program on Bugcrowd:


Hello This is Ahmed Ismail , Today I'm gonna share my first blog as it should be published about 10 month ago , but sorry I'm lazy :D .

so I'm gonna share the story about SQL Injection on a private program on Bugcrowd so it will be fun as it was different dbms I have deal with as Informix and IBM DB2 so let's get started.

Blind SQL Injection : Is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. >This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

so let's begin with the Informix DB after enumerating subdomains of the Target , let's name it "REDACTED" , I reach an endpoint after gathering subdomains and spidering it and I got an endpoint that it may be a potential SQL Injection on it , and throw random single and double quotes but there is no thing indicating that there is a valid SQL Injection here. so I throw 'OR'1='1 and watch the response and it was it ! 

so I pass the Request to SQLmap  and my sense was right that it is SQL Injection but there is a WAF to bypass to get the tables name in order to be accepted so what to do !! 

sqlmap said that it is Informix DB so I head to a cheat sheet for Informix SQL Injection on pentest monkey so I head to do it manually but it was very tired  to do such a thing so I head to use a tamper script to defeat the WAF and get the Tables of the Database so after doing some manual and I used "between" Tamper script and the SQLmap  request was like 


sqlmap -u "https://www.REDACTED.com/bin/image.jpeg?id=3872539053001&key=FUZZ" -p id --level 5 --risk 3 --fresh-queries --random-agent --batch --banner --dbs --dbms="Informix" --tamper=between --drop-set-cookie --time-sec=10 --no-cast --threads=9





SQLmap has done the thing by use some tamper scripts to be worked with the DBMS 


as we see here it is the tables but I Can't reveal more info as it can disclose the Vendor 

so here we bypass the WAF by using tamper script and if it is no tamper , I could write a python script to get this , the idea is to get to know the syntax of the DBMS.

it was about 5 SQL Injections by helping of Tamper scripts dbms was IBM DB2 ,Informix  , the Endpoints was one of the was on the main domain , search 



That was the Total Bounties and SQL Injections for this Target and it was a nice program. 

Thank you 

./bye





Comments

Post a Comment

Popular posts from this blog

Offsec Web Expert ( OSWE ) Review 2025

-
Image
Hello hackers hope all of you are happy and doing well , Today I'll talk about my Review about OSWE and How I approached to it , This is my Personal and Honest Review for one of a highly demanded and reputational Certificate   What is OSWE ? The Offensive Security web Expert (OSWE) is formerly known as AWAE ( WEB-300 ) it's part of OSCE3 by OFFSEC including (OSEP + OSED + OSWE).  this certificate for Web attacks and advanced exploitation you will learn how to make source code review in White Box , How you will make your custom exploitation to exploit critical vulnerabilities , how to analyze the code and implementing chained attacks using multiple vulnerabilities together. Prerequisites Let's talk if you are a bug bounty hunter or an App Sec Pentetser that you want to sharpen your skills up In my opinion I'd like to recommend taking PortSwigger  Academy Labs first , you could solve it to understand every Vulnerability and How to exploit it as soon as you detect it , an...
Read more