Hi,
Going to share a vulnerability that was discovered last year (for bounty program) that for me, quite a rare one and it was the first that I had found since my involvement in pentesting world.
The website was using Microsoft SQL Server and one of the parameter was vulnerable to Blind SQL Injection attack. How did I know? Obviously by triggering the TRUE/FALSE condition.
Nothing fancy here. Just a normal/common testing to check on the vulnerability. The problem came after that where:
Had no idea on that until found a post by v1d0q in https://rdot.org/forum/showthread.php?t=826
The last query shown was new to me on that time, but surprisingly it was working!
Such as an example:
@@LANGID usually will be 0 for default (English language)
@@TEXTSIZE can be bigger than 1000
Didn't stop at there, I tried using another Transact-SQL to ensure my result is not a false-positive. And most of the query did the positive job :)
Submitting this limited POC to the program's owner, luckily they view and confirm the issue at their backend as well. Rewarded and satisfied!
Here are examples performed on a testing server.
Disclaimer: I still don't know the exact explanation behind this issue. Need to locate some times and do some research in future :)
References:
https://rdot.org/forum/showthread.php?t=826
https://msdn.microsoft.com/en-us/library/ms186266.aspx
https://msdn.microsoft.com/en-us/library/ms177687.aspx
http://www.sqlservercurry.com/2010/11/change-default-language-for-sql-server.html
Going to share a vulnerability that was discovered last year (for bounty program) that for me, quite a rare one and it was the first that I had found since my involvement in pentesting world.
The website was using Microsoft SQL Server and one of the parameter was vulnerable to Blind SQL Injection attack. How did I know? Obviously by triggering the TRUE/FALSE condition.
http://bounty/yadayada.asp?id=8888'+AND+'1'+LIKE+'1 --> page will be loaded normally.
http://bounty/yadayada.asp?id=8888'+AND+'2'+LIKE+'1 --> page will be blank.
Nothing fancy here. Just a normal/common testing to check on the vulnerability. The problem came after that where:
- It is only shows the SQL Injection behaviour in Blind Attack
- Scanner/SQLMap was not working
- Seems it was using Stored Procedure method (I not sure, I'm noob here)
Few ways tried but none were successful in order for me to provide a working POC to the program. Further analysis I noticed that, the application was actually only able to response integer value with the user's privilege in used.
Had no idea on that until found a post by v1d0q in https://rdot.org/forum/showthread.php?t=826
The last query shown was new to me on that time, but surprisingly it was working!
http://bounty/yadayada.asp?id=8888'+AND+(@@TEXTSIZE>@@LANGID)+AND+'1'+LIKE+'1 --> page will be loaded normally.
http://bounty/yadayada.asp?id=8888'+AND+(@@LANGID>@@TEXTSIZE)+'1'+LIKE+'1 --> page will beFurther read I found that what I was actually trying to query is an existing Transact-SQL inside a MSSQL where its return types is either integer or smallint. And usually, these return types already have their own value.
blank
Such as an example:
@@LANGID usually will be 0 for default (English language)
@@TEXTSIZE can be bigger than 1000
Didn't stop at there, I tried using another Transact-SQL to ensure my result is not a false-positive. And most of the query did the positive job :)
Submitting this limited POC to the program's owner, luckily they view and confirm the issue at their backend as well. Rewarded and satisfied!
Here are examples performed on a testing server.
Disclaimer: I still don't know the exact explanation behind this issue. Need to locate some times and do some research in future :)
References:
https://rdot.org/forum/showthread.php?t=826
https://msdn.microsoft.com/en-us/library/ms186266.aspx
https://msdn.microsoft.com/en-us/library/ms177687.aspx
http://www.sqlservercurry.com/2010/11/change-default-language-for-sql-server.html
0 comments:
Post a Comment