top of page
Writer's pictureNitin Yadav

Finding a SQL Injection in a Social Media Website

Hello everyone,

We are back again with another writeup.


So last week we got a penetration testing project. And this time it's a social media website. We found many vulnerabilities but we will talk about an SQL injection which we found on the last day of our project.


Let's first get to know about the website.


So the website is like a private social media website and to create a account we need an invite code.


And on adding the invitation code we are being redirected to proxy.victim.com so first we tried open redirection there but after using some payloads we were unable to archive open redirection.


On first and second day we are able to find some session based bugs and some xss.


But on third day we once again tried to find open redirection and the payloads used were:



And after using /\victim.com:80%40google.com we were able to redirect it to Google.


And we were able to find many bugs. But haven't found our favourite bug that is SQL Injection.


So on last day we only focused on SQL Injection.


And as we were reviewing our reports I got upon the first bug we found that is open redirection.


So it has a parameter invite_code and I started playing with it.


So while registering a POST request was made and the request was like.


POST /interaction/abc/signup HTTP/2

Cookie: <session_cookies>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Te: trailers


Parameter=xxx&name=xxx&invite_code=xxx-&a=25&terms=on&rules=on


And after adding a (')  to the invite_code parameter returns a 500 error, and adding a second quote returns a 200.


After some time playing with it I was able to find a time based SQL injection and the payloads was.


');(SELECT 4564 FROM PG_SLEEP(5))--


And the server takes 5 seconds to reply.


So I thought of using SQLMAP and was able to find the following tables.


  • allowlist

  • disallowed_handles

  • invitation_tokens

  • knex_migrations

  • knex_migrations_lock

  • oidc_payloads

  • regexp_disallowed_handles

  • sub_to_account

  • waitlist


And the SQLMAP command used was

I hope you enjoy this one and learned something new.


I see you next time 😉


Take care, happy hacking!







106 views0 comments

Recent Posts

See All

Comments


bottom of page