Sql Injection via hidden parameter
Hello Everyone, I am Rutvik Hajare and I am new in the cyber field.This is my first write-up on one of critical findings. usually i hate blog writing but anyways.
Ok everyone knows what is sql injection.For those who are new in this field or don’t know what is it the Owasp has very good and short description about sql injection.
Without wasting time get to findings.
The target was the trading company let’s call it redacted.com, Without doing any kind of recon i simply register on target and it redirected to me on the dashboard. I refresh the page while running burp proxy for checking requests. After checking i found nothing interesting. But in web app their was another option where i can see/downloads my trading reports. I generate the example report and download it while running burp proxy.
The interesting part i found that for downloading report web app was requesting for fetching the bank id, user id and etc. After lot of request checking i came up on the following request.
To access the resource of the above request i’ve to provide the token ( which i don’t have )
Then i stated directory bruteforcing on the above endpoint and found the valid directory “bankacc”. But the response was empty. So i thought for finding hidden parameter and started param miner.
And found the status parameter. i tried to send some arbitrary value and boom !! i got the sql error.
I quickly injected 1' AND sleep(5) — payload in status parameter and yay i got the 5 sec delay and confirmed the vulnerability.
Immediately I fired up sqlmap and pass this request to it ! Within a minute I dumped there all database :) !!
Small tip never forget to try sql injection on hidden parameters.
Hope you like this ! and sorry for bad English :)
Thanks for reading !!