BOOK THIS SPACE FOR AD
ARTICLE ADhello everyone,
Today I will share how I found a blind SQL injection vulnerability in an Indian government website.
So, let’s get started.
I started hunting on government websites a few weeks ago. I used google Dork to find gov.in websites. the first website in search results was the Kerala government’s website.
so, I decided to start my journey with that web. I can’t disclose the name, so we will use it as target.gov.in in this write-up.
SQL injection (SQLI) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server.
impact:
An attacker can use SQL injection to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.
I started digging into the website. First tried some basic SQL injection payloads on the login form and images features. But got nothing.
I was frustrated.
after 2hrs break, I again started exploring the web. I’m just clicking on every link and button of the website and viewing the requests in burp.
While clicking on the notifications page, there is a feature to select your city. I clicked on one city and got this parameter in URL:
PHP?flag=E&mnupath=xyz&opt=2
I thought to test SQL injection on them.
First I tried Union and error-based SQL injections, but there are no results from the server-side.
Then I tried time-based SQL.
I captured the request in burp and injected this payload into the mnupath variable
SELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(20)+END —
And that was strange, the server took too much time to respond. First I thought it was my slow Internet. but when I changed the payload value to 50 secs, the server again took 50 sec to respond.
Now I’m sure that was a blind SQL injection. I immediately opened up SQL map and it dumped the database.
I reported this bug to NCIIPC and got acknowledgment from the Indian government.
Steps:
1) go to https://target.gov.in/xml/xmlcontent.php?flag=E&mnupath=xyz&opt=2
2) capture the request in the burp suite, and send it to the repeater.
payload = SELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+END —
here, the mnupath parameter is vuln.
3) change mnupath value to
xyz’%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+END —
4) this will take 10 sec to respond. that means our condition is TRUE.
5) if the condition is false, then it will take normal time to respond.
after 2 days, i received mail from NCIIPC :)
So, that was my time based blind SQL injection bug on the Indian government website. Hope you liked it. Thanks for reading.