Three SQL injections in just 10 minutes
Hello friends, in this article I will tell you how I found 3 simple SQL injections in a private program. Name the company domain example.com.
After collecting pallets, I noticed one very interesting one, having an input page and working with PHP 7 on the Windows server.
You can find out what technology the site uses using wappalyzer.
Since I know that this website uses PHP, I decided to try inserting a single quote in the username field and log in. As a result, I see the basic SQL error, which means you can use sqlmap.
To do this, place ' in any login page field, intercept the request using burpsuite and save the request to the file.
sqlmap -r req.txt --batch --dbms = mssql --level 5 --risk 3 --dbs
This can be done manually with payload:
admin'SELECT + 1, @ @ VERSION, 3--
Good! We got the first SQL injection, let's dig even deeper.
When conducting fazzing, I found another end point - getimage.php. you can find her with ffuf, dirbuster or dirb. And at this end point there was a parameter id , which is also vulnerable.
We pass to the end point getimage, intercept the request in Burp Suite and use the extension Param miner to search for hidden parameters.
Ok now we have a parameter id, Let's use sqlmap for this option.
sqlmap -u https://sub.ex.net/getimage.php\?id\=1 --batch --dbms = mssql --level 5 --risk 3 --dbs
Wow! We got a second vulnerability.
For the next step, I did the same, and found that another endpoint was called - downloads.php and this end point has a parameter with a name dir.
sqlmap -u https://sub.ex.net/downloads.php\?dir\=a --batch --dbms = mssql --level 5 --risk 3 --dbs
