Everyone is sick in the house but I had some running scans I needed to check up on. I found a SQL injection bug on a blog. Here's how I did it, so you can learn... 👇
Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia. This gave me a pretty good list of targets.
GitHub - six2dez/reconftw: reconFTW is a tool designed to perform automated recon on a target domain
ReconFTW runs screenshotting on all web-resolvable domains and subdomains. I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016
This means the site hasn't seen much love in a while. I browsed the site and immediately saw paths that were WordPress. When hacking WordPress, the defacto is using a tool called WPScan (@_WPScan_ ).
There are also some other free alternatives listed here:
The patterns fed to gf are from a talk I did at @defcon called "Hunt: Data-Driven Web Hacking & Manual Testing" This project statistically identified the most susceptible parameters to certain types of security vulns. You can watch the talk here:
The output of gf and the patterns (tied together by ReconFTW) showed me several path/parameters for a plugin that WPScan *didn't* identify. Several of the parameters had the nomenclature "id" in them.
I always test "ID" parameters because I associate them with database interaction. The same with any of these patterns:
Sure enough, inserting a: ' into one caused an error, and inserting two ' did not. A classic old-school SQL injection sign. I'd like to say that I did the rest of the injection to prove impact manually, but I didn't. I used @sqlmap , which is the best-in-breed tool for testing SQL Injection. You can learn more about it here:
I also wanted to give a complete picture as to what parameters (there were a lot) were injectable. I passed the URLs as a file to sqlmap with something like this:
which found a couple more params vulnerable.
Blog or not, this is my general strategy for finding SQL Injection bugs. Hopefully, it's not a duplicate 🤞