Rohit Profile picture
Security engineer @godaddy & a globetrotter.

Aug 25, 2022, 11 tweets

#Learn365 - Day 6โƒฃ

Can you identify and exploit the #security bug? ๐Ÿค”

In today's thread lets learn about exploit writing ๐Ÿงต๐Ÿ‘‡

#infosec #appsec #bugbountytips #security

This is SQLi. easy to guess. Which field is vulnerable : username.

But the tricky part is how to exploit it.
If you disect the code, you would notice that SQL statement should always return one single word. Otherwise comparison will anyway fail in PHP code.

What next ?

What do you think will happen if I input :

" or 1=1;--

Think first !!
.
.
.
.
.
.
This will make SQL return entire password column.
Inturn, PHP check will fail at line #2.

So, you have to make SQL statement return 1 single word, and that should be password which u can match.

If you want to achieve that, you can not use, generic 1=1 payload.

If you know In SQL there are UNIONS right ? Can we use them ?

Can we use UNION to dump the password which can match the check in PHP ?

I think yes !!
Go on !!

Slight detour, in SQL you can dump whatever you want. You know there is DUAL table ? A dummy table.

SELECT 'sec_r0' from DUAL;

This will dump a single value `sec_r0` in the output.
.
.
.
.
.
Can we use something like this to dump password of our own wish?

Lets see the modified SQL query with UNION stmts

" or 1=1 UNION (SELECT 'sec_r0' from DUAL) ; --

What do you think this would do ?
.
.
.
.
THINK
.
.
.
.
This will dump the entire password col with last value of our own wish, right ?
But we don't want the password col !!

If we dont want password col, can we remove the results of previous table of UNION completely ?

<table1> UNION <table2>

where
table1 output is coming from

SELECT password from USER where username="" or 1=1

and entire table is dumped because of 1=1, what if we negate it?

Yes, that the magic. No see the payload.

" or 1!=1 UNION (SELECT 'sec_r0' from DUAL) ; --

.
.
.
.
THINK
.
.
.
.
This would negate the first table query completely and would only dump 'sec_r0' in output, yes ?

That's the magic of UNION.

Are we done ?

Is this our final exploit ?
.
.
.
.
No
Why ?
Because, PHP is assuming the passwords are stored in MD5. That's why the input password is first MD5ed and then compared.

So guess what would be perfect exploit.

So lets calculate value of MD5 of sec_r0.
MD5(sec_r0) = ccf0d111cd0c1e45708a0aef7b2bcb74

So in payload I would put.
" or 1!=1 UNION (SELECT 'ccf0d111cd0c1e45708a0aef7b2bcb74' from DUAL) ; --

and in input password I would put, sec_r0.

And Bingo.
I will bypass the Auth.

Isnt that amazing ?

Keep this tweet bookmarked. You never know if someone ask you this in an interview.

Also,
If you like the way I explained, consider ๐Ÿ” the thread.
Also, stay tuned(follow @sec_r0 ) for more such interesting threads.

I am running #Learn365 โค๏ธ

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling