Assalamu alaekum gentlemen, I am happy to share that I found a SQL Injection in one of the web application of college . I was able to enumerate the whole DATABASE including information about students, admins, etc. ,etc. and lots of sensitive data was available.
It has been months since I wrote, So Here we go,
First of all, it is a false myth which should be cleared from our minds that SQL injection do not exist. They exist lying under some endpoints, which are just waiting to be exploited by us.
# A quick run-through
SQL Injection is a web application security vulnerability that allows an attacker to inject malicious SQL code into a web application’s database, potentially leading to unauthorized data access, modification, or deletion.
So, We all know that college/govt. websites are pretty DAMN vulnerable. So my friend just registered in a college and he got his login credentials where he can check details about his admission, fees, exam, etc. I asked for his creds and checked what’s all in there.
Then an endpoint caught my eye /studentzone/payment_new.php
I checked which semester fees was submitted and intercepted the request https://some-college.com/studentzone/fee_details.php?sem=3 in our burp (all time buddy). Put double quote in sem paramater ….. no explosion.
Then I put single quote… booom, got a 500 Server Error. If you see 500 Server error upon putting quotes that marks the beginning of your journey of SQLi. Then I put two single quotes and got 200 OK, it confirmed me that there was an SQL Injection vulnerability sitting in there..
Now it’s sHoWtiMe,,
I copied the whole request along with cookies and headers and put in a file req.txt and handed it over to ghauri (a much better alternate for sqlmap). Ghauri is just my preference as I have got better results from it in the past, you can use sqlmap if that suites you.
Ghauri identified that Backend was MySQL and there was blind SQL injection and it could be exploited by Time-Based and Boolean Based, both type of SQL Injection.
Tried to spawn a shell but no luck, queries were not executing for some reason don’t know, we should always try for every way.
Continued with enumerating it and got whole database dumped….
Database contained very senstive information of college which can be used to disrupt the whole management of college and use information for further exploitation against the College Authority.
I immediately made a detailed report about the critical security issue and mailed the college.
Take Away..
Always check every endpoints and parameters and observe the how the web application is reacting upon supplying unexpected input from user (you).
Disclaimer : It is for educational purpose only, information mentioned should not be used to harm any organization.
Clap if liked it, also… If would like to connect you can find me on linkedin