{"id":1116,"date":"2020-12-15T15:02:57","date_gmt":"2020-12-15T15:02:57","guid":{"rendered":"https:\/\/zerothcode.com\/blog\/?p=1116"},"modified":"2020-12-24T17:08:51","modified_gmt":"2020-12-24T17:08:51","slug":"got-easy-sql-injection-bug","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/got-easy-sql-injection-bug\/","title":{"rendered":"How got easy $$$ for SQL Injection Bug"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
Bug Hello guys,<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n

This is my first Write Up and i want to share about \u201cHow i got easy $$$ for SQL Injection Bug\u201d<\/p>\n

Note : call the target as Redacted.com Bug<\/p>\n

Tools :\u00a0<\/strong>Burpsuite<\/p>\n

Proof of Concept : Bug<\/strong><\/p>\n

\n

1. Sign up for a new account<\/p>\n

2. Follow the instruction, and then i got this page :<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

3. So i got the url like this : Bug
\nhttps:\/\/redacted.com\/user\/activation\/xxx\/1325589<\/a>
\n1325589 is my user id. And the i try to add single quote ( \u2018 ) to try if the website has SQL Injection or not.
\nbut it didn\u2019t \ud83d\ude41<\/p>\n

4. But if you see the page again, the page has the Button \u201cResend Activation Link\u201d so now I turn on my intercept and click the Button.<\/p>\n

5. I got the request and the response like this : Bug<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

The response is redirected me to :
\nhttps:\/\/redacted.com\/user\/resendactivation\/xxx\/1325589\/?smsg=green<\/p>\n

6. So i try to modified the request with added a single quote like this :
\nhttps:\/\/redacted.com\/resend\/activation\/1325589′
\nand this is the response :<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

i got redirect to :
\nhttps:\/\/redacted.com\/signup_page\/xxx<\/p>\n

7. Now i try to edit the request and added –+- and the response like this :<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

the response is turn into the default request so i can confirm maybe its a SQL Inejction \ud83d\ude00<\/p>\n<\/blockquote>\n

\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n

\n

8. Now i try to edit the response and added \u201corder+by+5\u201d like this : Bug<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

The response is turn to False condition, so the column doesn\u2019t reach 5<\/p>\n

9. Try \u201corder+by+4\u201d \u2192 Still False<\/p>\n

10. Try \u201corder+by+3\u201d \u2192 True !!! \ud83d\ude00 Bug<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

so it meaning the column is till number 3<\/p>\n

11. So now i try to \u201cunion select\u201d like this :<\/p>\n<\/blockquote>\n

\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n

\n

If you see the response i got redirect to :
\nhttps:\/\/www.redacted.com\/user\/resendactivation\/xxx\/3\/?smsg=green<\/a><\/p>\n

Yeah !!! I got the number 3.<\/p>\n

12. Now try to inject a sql query on number 3, like this: Bug<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n

BOOM !!! I got the user.<\/p>\n

13. Now try to got the database name and the version, like this:<\/p>\n<\/blockquote>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n
\n
\n
\"Image<\/div>\n

\"Image<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n

Reward\u00a0<\/strong>: $$$ Bug<\/p>\n

That\u2019s it for this write up from me, i hope you enjoying it.
\nAnd sorry for my bad English \ud83d\ude41 ,
\nSee you again in the next story<\/strong><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Bug Hello guys, This is my first Write Up and i want to share about \u201cHow i got easy $$$<\/p>\n","protected":false},"author":1,"featured_media":1117,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[715,625,1375,117,1309,210,217,496,578],"class_list":["post-1116","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=1116"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1116\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1117"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=1116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=1116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=1116"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}