Share this page!

Jason Haddix Profile picture
Twitter logo
Apr 9 12 tweets 5 min read
4/8/22 #bugbountydiary #bugbountytips

Everyone is sick in the house but I had some running scans I needed to check up on.

I found a SQL injection bug on a blog.

Here's how I did it, so you can learn...

👇

🚨Like, retweet, & follow for more hacker tips!🚨

1/x
Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia.

This gave me a pretty good list of targets.

2/x
github.com/six2dez/reconf…
ReconFTW runs screenshotting on all web-resolvable domains and subdomains.

I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016

3/x
This means the site hasn't seen much love in a while.

I browsed the site and immediately saw paths that were WordPress.

When hacking WordPress, the defacto is using a tool called WPScan (@_WPScan_ ).

4/x
There are also some other free alternatives listed here:

linuxsecurity.expert/tools/wpscan/a…

5/x
WPScan identified some, but not all, of the plugins.

ReconFTW (by @Six2dez1 ) also runs all spidered URLs through pattern matching.

They use gf by @TomNomNom to do this matching.

github.com/tomnomnom/gf

6/x
The patterns fed to gf are from a talk I did at @defcon called "Hunt: Data Driven Web Hacking & Manual Testing"

This project statistically identified the most susceptible parameters to certain types of security vulns. You can watch the talk here:



7/x
The output of gf and the patterns (tied together by ReconFTW) showed me several path/parameters for a plugin that WPScan *didn't* identify.

Several of the parameters had the nomenclature "id" in them.

8/x
I always test "ID" parameters because I associate them with database interaction. The same with any of these:

github.com/1ndianl33t/Gf-…

Sure enough, inserting a:

'

into one caused an error and inserting two ' did not.

A classic old-school SQL injection sign.

9/x
I'd like to say that I did the rest of the injection to prove impact manually, but I didn't.

I used @sqlmap , which is the best-in-breed tool for testing SQL Injection. You can learn more about it here:

github.com/sqlmapproject/…

10/x
I also wanted to give a complete picture as to what parameters (there were a lot) were injectable.

I passed the URLs as a file to sqlmap with something like this, which found a couple more params vulnerable.

11/x
Blog or not, this is my general strategy for finding SQL Injection bugs.

Hopefully, it's not a duplicate 🤞

🚨Like, retweet, & follow for more hacker tips!🚨

12/x

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jason Haddix

Jason Haddix Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jhaddix

Jason Haddix Profile picture
Apr 8
Another long (hacker) story thread 🧵

= Stealing checks worth millions & pwning a bank =

Here’s how I did it, so you can learn.

I was once contracted to do a penetration test on a bank…

Like, retweet, and follow for more hacker stories!

(1/x)
The main website was hardened. After spending a lot of time on understanding it, most of the makeup of the transfer system was API based and the infrastructure was AWS.

I decided to open up the mobile application to see if it was any different.

🧵(2/x)
I proxied the iOS app through a proxy to see its web traffic.

I also was running the app on a jailbroken phone to see what files were created when installing and using the app.

Nowadays you can proxy you mobile apps like this:

e-spincorp.com/burp-suite-pro…

🧵(3/x)
Read 18 tweets
Jason Haddix Profile picture
Apr 4
(a LONG thread) 🧵

Inspired by @infosec_au & @hacker_ here's one of my fun hacker stories:

= The complete compromise of a password manager company =

Here's how I did it (so you can learn):

I was given the project to pentest a password manager company: *.redacted.com

(1/16)
No physical or phishing. The site was certified McAffee Secure! 😉

The 1st two days were spent doing recon, walking the application, and doing content discovery.

I used the

github.com/danielmiessler…

github.com/danielmiessler…

bruteforce lists for content discovery.

(2/16)
At this time, I was using dirsearch. (I would use ffuf or feroxbuster these days)

(something like the image)

I discovered, (by proxying the site through Burp Suite and looking at responses and errors), that the application was written in CodeIgniter. Noted this down.

(3/16)
Read 16 tweets
Jason Haddix Profile picture
Apr 3
SO you're a bounty hunter with a gaming rig? 🧵

If you don't want to use a VPS or run native (dual-boot Linux) you can install Ubuntu and WSL 2.

(+) You'll (probably) benefit from more memory, cores, and a fast broadband connection.
(+) You can eliminate or supplement your VPS costs
(+) Usability is nice (file management, copy-paste)

(-) WSL2 does not yet support raw sockets, so no nmap or masscan
(-) Mass DNS requests (resolver tools like massdns/puredn) will crash WSL DNS for some reason

2/3
(-) on wsl 1.0 (if you decide to use that) git is painfully slow, including setting up dependencies in large frameworks like reconFTW

(+) ... Your gains in speed per dollar are good. Most gaming rigs equivalent VPS (proc/mem/storage) costs will run you $80-$120 on Digital Ocean
Read 12 tweets
Jason Haddix Profile picture
Mar 21
#bugbountytips

🧵 1/x

Starting from almost scratch. Testing Environment:

DO Ubuntu VPS, 2 vCPUs. 4GB mem / 60GB Disk, ($20/mo)

This works for most general tasks. In most VPS intensive tasks (content discovery, fuzzing, etc) memory is your bottleneck.
🧵 2/x

Laptop: (Ubuntu VMs & Windows)
Laptop with 16GB of RAM and a hardcore proc and my 800Mb/s home internet with VPN setup.

Desktop:
Threadripper gaming desktop
128GBRam
5 Monitors

#bugbountytips
🧵 3/x

You don't need 3 machines FYI. My desktop is a beast because it's my gaming machine. (128GB RAM is epic tho for work in Burp Pro)

The VPS handles general tasks
If the VPS is maxed out or I'm doing a long session fuzz (content discovery, fuzzing large lists) I use laptop
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(