How I Chained an Information Disclosure Bug with SQL Injection
Good day Hackers,
I’d like to appreciate God for helping me find this bug and I’ll be sharing how I was able to do so.
What is SQL Injection?
SQL injection is a type of web application security vulnerability that occurs when an attacker can input malicious SQL statements into an application’s input fields. This type of attack takes advantage of the fact that many web applications accept user input without properly validating or sanitizing it.
Summary
I got subdomains of my target and then visited one of the endpoints which was a login page. While I was on the page, I checked the DotGit Chrome Extension and I got a message about an exposed Git repository on the site. I clicked on it, and the .git/index directory was downloaded.
I viewed the file and behold, a huge number of unauthenticated directories were exposed. I tried my best to visit each endpoint but one of them stood out. It disclosed a MySQL error message:
After asking for help on Twitter, I finally had an idea of what to do. I began by adding the nom_hachage parameter to the URL and it was like:
https://target.com/endpoint.php?nom_hachage='The error message immediately changed to the content that was in the nom_hachage parameter.
I sent the whole request to both Ghauri and Sqlmap:
ghauri -u https://target.com/endpoint.php?nom_hachage=1 --dbspython3 sqlmap.py -u https://target.com/endpoint.php?nom_hachage=1Ghauri was able to retrieve the database name and user in less than 15 minutes while Sqlmap is still looking for an exploit😂.
Tip:
- Always chain bugs to get maximum impact.
Thanks for reading.
