top of page

Bug-Bounty/Hacking Diary 4/8/22 - SQL Injection

Everyone is sick in the house but I had some running scans I needed to check up on. I found a SQL injection bug on a blog. Here's how I did it, so you can learn... ๐Ÿ‘‡

Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia. This gave me a pretty good list of targets.

GitHub - six2dez/reconftw: reconFTW is a tool designed to perform automated recon on a target domain

ReconFTW runs screenshotting on all web-resolvable domains and subdomains. I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016

This means the site hasn't seen much love in a while. I browsed the site and immediately saw paths that were WordPress. When hacking WordPress, the defacto is using a tool called WPScan (@_WPScan_ ).

There are also some other free alternatives listed here:

WPScan alternatives -

WPScan identified some, but not all, of the plugins. ReconFTW (by @Six2dez1 ) also runs all spidered URLs through pattern matching. They use gf by @TomNomNom to do this matching.

GitHub - tomnomnom/gf: A wrapper around grep, to help you grep for things

The patterns fed to gf are from a talk I did at @defcon called "Hunt: Data-Driven Web Hacking & Manual Testing" This project statistically identified the most susceptible parameters to certain types of security vulns. You can watch the talk here:

The output of gf and the patterns (tied together by ReconFTW) showed me several path/parameters for a plugin that WPScan *didn't* identify. Several of the parameters had the nomenclature "id" in them.

I always test "ID" parameters because I associate them with database interaction. The same with any of these patterns:

Gf-Patterns/sqli.json at master ยท 1ndianl33t/Gf-Patterns

Sure enough, inserting a: ' into one caused an error, and inserting two ' did not. A classic old-school SQL injection sign. I'd like to say that I did the rest of the injection to prove impact manually, but I didn't. I used @sqlmap , which is the best-in-breed tool for testing SQL Injection. You can learn more about it here:

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool

I also wanted to give a complete picture as to what parameters (there were a lot) were injectable. I passed the URLs as a file to sqlmap with something like this:

which found a couple more params vulnerable.

Blog or not, this is my general strategy for finding SQL Injection bugs. Hopefully, it's not a duplicate ๐Ÿคž

1,739 views0 comments

Recent Posts

See All
bottom of page