Power of Manual SQL Injection and Python
Hello there! , Hope you are doing great and learning loads of stuff from the community like I am.
What is this Article about ?
This article is about how i was able to find an SQL injection Vulnerability in a Social Website and how i was able to exploit it using python. If you don’t know about SQL Injection or Python, i will suggest to visit the following links.
Searching for Vulnerabilities
As everyone know, a vulnerability cannot be found directly. You have to waste lots of time and energy on searching, i did the same. I opened up BurpSuite (Favorite tool of every web pentester) and was testing every input and result in that platform i was facing. As i was going through menus, i saw an option Invite Friends.
By entering to that page, i saw some bunch of options but none of them was working because of broken authentications or whatever. Clicking on the last option, prompt me to a new page which had a textarea for inserting multiple emails.
As usual, first i typed some email addresses, check the response in JSON format.
Response
[{“name”:””,”email”:”test1@gmail.com”,”exist”:0,”profileimage”:”https:\/\/www.site.com\/assets\/front_end\/images\/avatar-1.svg"},{"name":"","email":"test2@gmail.com","exist":0,"profileimage":"https:\/\/www.site.com\/assets\/front_end\/images\/avatar-1.svg"}]
Now it was time to test for vulnerabilities, so i tried to insert a single quote (just like how we test for a simple SQL Injection) and it returned a 403 Forbidden Error. Just by inserting “ — — + — ” in the last, the error fixed and return some bunch of image urls in the response, but the name of one them was empty (of course the one containing quote)
[{“name”:””,”email”:”test1@gmail.com”,”exist”:0,”profileimage”:”https:\/\/www.site.com\/assets\/front_end\/images\/"},{"name":"","email":"test2@gmail.com","exist":0,"profileimage":"https:\/\/www.site.com\/assets\/front_end\/images\/avatar-1.svg"}]
Exploring Vulnerability
lets skip the finding Tables and Columns Stage. After finding the 4th (last) column vulnerable, i tried to check the format that how it gives the SQL Injection result. so for that i tried simple version() query and responded with the same response but little change. Instead of image name (or blank) in the end of one image Link, it respond with version just like this.
Query
-test1@gmail.com’ union select 1,2,3,version() — — + —
Response
[{“name”:””,”email”:”test1@gmail.com”,”exist”:0,”profileimage”:”https:\/\/www.site.com\/assets\/front_end\/images\/1.2.9"},{"name":"","email":"test2@gmail.com","exist":0,"profileimage":"https:\/\/www.site.com\/assets\/front_end\/images\/avatar-1.svg"}]
i don’t know how to exploit it by SQLMap for minimizing the waste of time and for clear reading of the response, so i tried to exploit it by making simple script using python that sends request in JSON format, decode the response, split and format it. There i was able to find many important information about users and admins (of course it was their database).
Update
Python Script use for extracting column names; columns.py
Python Script use for extracting table names; tables.py
Python Script use for dumping all data; dump.py
Python GUI Script for Final Exploit; finalExploit.py
REPORTED AND REWARDED WITH 10,000 PKR.
Note
That company has no Bug Bounty Program. They give me permission to test the site after sending them a simple XSS vulnerability.
The scripts above are not working now, because it is patched and i removed the site name.
Lesson Learned
Tools don’t make Hackers, Hackers make Tools.
Manual Finding is better than everything.
