.png)
1 year ago
54 BOOK THIS SPACE FOR AD
ARTICLE ADHello friends. I hope you are well, I am MR_NETWORK. Today, in this writeup, I am going to share with you two of the vulnerabilities that I was able to discover some time ago and get a reward for them, I hope you like it and find it useful. Before anything else, let me explain the vulnerabilities first so that you fully understand what I did .
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.
*Because I did not ask permission from the security team, we consider the name of the website to be target.com .First, I visually looked at the desired target so that I could find an endpoint on it. I always use different ways to get to all vulnerabilities, so I used recon to start with!! Maybe you have a question about what recon is. ummm …. It appeared to be an airline service site It is the collection of information about the website. This is done so that we can find a lot of information and move our work forward more easily, in fact we can find the weak points. I initially considered a vulnerability for testing, a very dangerous SQL injection vulnerability. There are different models such as get and post Google dorks can be used to test it, which I did like this
(site:target.com inurl:id=)
As you can see, I seem to have progressed well. Because I was able to find this URL.
(https://www.target.com/news.php?id=2 )
But we still have to see if this page is vulnerable or not, for this we should put a (‘) next to the URL .
But what are the signs that we should receive to understand whether there is a vulnerability or not?!
1: page not loading
2 : Page incomplete
3: Show the related error SQL
4: Late page loading and many errors
Okay . We encountered the third case, an error related to SQL.In this case, we have two ways, the first way is to manually test this vulnerability. And the second way is to test this vulnerability using the SQL Map tool .
But in order to reach the result sooner, I decided to test with the tool.
We were able to see the names of the databases, this means that this bug is completely present and valid.
In the following, we must use this command.
( sqlmap -u “https://www.target.com/news.php?id=2" -D target02017 — tabes)
Okay . We were able to extract the table names. We use this command to continue .
(sqlmap -u “https://www.target.com/news.php?id=2" D target02017 -T tbladmin –column )
Well, we were able to get the admin information and we can use it. But we can still report because this bug is completely valid, but we are still trying to increase its severity.
e use this command to identify the bug.
Well, it looks like it was able to find an XSS with the corresponding payload and the vulnerable page. This is a good address, but we have to be completely sure of the vulnerability, so we go to the vulnerable page and test it manually.
As the tool specified for us. We must give a value to the Id parameter, for example I entered xss. The only thing we need to do is press CTRL+U on the keyboard to see the source page of the site and check if the value we gave has gone.
Great . Our value is incorrectly placed in the JavaScript code like this, so we can say that this vulnerability exists, but we have to test it. But this time, instead of the xss value we entered, we must enter a payload related to the xss vulnerability.
Okay . All we have to do is Inter
BOOOOOOM
We were able to reach the XSS vulnerability. But we still have to try to increase its intensity.
We can use this payload for testing
</script><script>alert(document.cookie)</script>
This is very awesome. Because HttpOnly Flag is not active and we can steal cookies . I finally decided to report these two vulnerabilities to that company to see what they would say. Usually, the security team responds late because they have to triage or reproduce the vulnerability, which means they have to check the vulnerability to make sure it is correct, but I think because the vulnerability is very serious and very dangerous. and its level is P1, they should check it soon and give an answer, so I reported and waited . The points I learned from this vulnerability.
1: We should always implement all ideas on target
2: Gather information about the desired target by using the recon discussion, because it makes us reach the vulnerabilities sooner .
3: We should always try not to report the vulnerabilities that we hit too soon, we should work on them more so that their severity increases.
Bengali (Bangladesh) · 
English (United States) ·