Everyone is sick in the house but I had some running scans I needed to check up on.
I found a SQL injection bug on a blog.
Here's how I did it, so you can learn... 👇
Firstly, I ran reconFTW on a set of domains related to the target. I had the main domain, and several acquisition domains running too. The acquisitions were gathered from CrunchBase and Wikipedia. This gave me a pretty good list of targets.
ReconFTW runs screenshotting on all web-resolvable domains and subdomains. I opened that folder and saw what looked to be a marketing campaign site that was super old for a product the company no longer supported. To further confirm the Copyright footer was from 2016
This means the site hasn't seen much love in a while. I browsed the site and immediately saw paths that were WordPress. When hacking WordPress, the defacto is using a tool called WPScan (@_WPScan_ ).
There are also some other free alternatives listed here:
WPScan identified some, but not all, of the plugins. ReconFTW (by @Six2dez1 ) also runs all spidered URLs through pattern matching. They use gf by @TomNomNom to do this matching.
The patterns fed to gf are from a talk I did at @defcon called "Hunt: Data-Driven Web Hacking & Manual Testing" This project statistically identified the most susceptible parameters to certain types of security vulns. You can watch the talk here:
The output of gf and the patterns (tied together by ReconFTW) showed me several path/parameters for a plugin that WPScan *didn't* identify. Several of the parameters had the nomenclature "id" in them.
I always test "ID" parameters because I associate them with database interaction. The same with any of these patterns:
Sure enough, inserting a: ' into one caused an error, and inserting two ' did not. A classic old-school SQL injection sign.
I'd like to say that I did the rest of the injection to prove impact manually, but I didn't. I used @sqlmap , which is the best-in-breed tool for testing SQL Injection. You can learn more about it here:
I also wanted to give a complete picture as to what parameters (there were a lot) were injectable. I passed the URLs as a file to sqlmap with something like this:
which found a couple more params vulnerable.
Blog or not, this is my general strategy for finding SQL Injection bugs. Hopefully, it's not a duplicate 🤞
Comments