How I Got Owned A Multi-Billion Dollar Retailer's MySQL Databases Using Simple SQL Injection by Nav1n? Mar, 2023 Medium

How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
Search Medium
nav1n�
� Following
Mar 9 · 9 min read · Listen
Save
How I got Owned A Multi-Billion Dollar

Retailer’s MySQL Databases Using Simple SQL
Injection
Hello All, thank you for passing by.
This is my first article on Medium, I normally hate writing blogs these days as I’m
very active on twitter sharing my bugbounty experience and tips If I find it
interesting. I’m not a good writer as well, if you find typos or grammatical errors
please pardon me.
1 of 13 20-04-2023, 11:35 am
SQL injection (https://www.flickr.com/photos/149561324@N03/34852913554)
I have a personal blog https;//www.nav1n.com where I used to write articles on

HackTheBox and TryHackMe, but completely stopped almost 3years ago. So, this
should be my second attempt to start the blogging.
This is the story of an SQL injection I found on a Multi-Billion Dollar Retailer’s

country specific eStore and its user experience enhancement program. During the
reckoning I later found the entire group’s websites are vulnerable to this specific
issue with one single parameter that lead me try different things and ultimately
owning their multiple database servers using simple SQL injection and possible RCE
on some of them.
I didn't use any major tools or techniques, but the one each and every bug bounty
hunter uses everyday.
Keep reading the story of one of my best discoveries ever (I guess!). The post I
2 of 13 20-04-2023, 11:35 am
believe is a little lengthy, skip the beginning part if you do not wish to read the blah-
blahs.
Disclaimer: Below article is for educational purpose only. I’m no way endorse the
hacking or unethical ways to hack/test a website unless you have obtained a
permission to do so.
The Enumeration Phase

I was going through a YouTube video recently on a specific reckon process where
the presenter mentioned about his discovery of some RCE and SQL injections from a
private BB target. He said, he found those targets using simple Google dorks like
site:*.*.xx inurl:bug inurl:bounty site:*.*.xx.xx intext:security report reward
site:*.*.xx intext:security report reward. Being a bug-hunter for years, I knew about
these dorks but never tried in real life.
I ran some of the dorks and found hundreds of targets, but most of them are VDPs
with HoFs and no rewards, I kept looking and found this non-English target. They
had a security.txt page which said the scope applies to all their group of companies’
web assets including the international ones. The reward table said, they offer up to
3.5K EUR for SQLi and RCE and 500 for XSS etc, I decided to work on this target
hoping to find some SQLi or RCE/ CVEs etc.
Finding an SQL Injection

I know its easy to find SQL injection than RCE, so my initial target was SQL injection
attacks.
#1 Subdomain Enumeration:
My methodology is to find as much as subdomains as possible if the target is huge
and allows subdomain enumeration. To enumerate subdomains, I prefer Netlas,
crt.sh and securitytrails.com.
I agree that securitytrails service charge is every expensive if you compare it to a lot of
alternatives, but their free tier gives 50 API runs with unlimited subdomain search per
month.
3 of 13 20-04-2023, 11:35 am
#2 Certificate transparency search:
At first, I started to enumerate the subdomains using certificate transparency tools

like crt.sh and netlas. Both of them together got me around 4961 (sub)domains
under the Group Name.
Netlas:
Sample netlas query to find certificates:
https://app.netlas.io/certs/?q=certificate.subject.organization%3A%22Microsoft%20Corpora
SecurityTrails:
Once I have the list from the CT, I head to SecurityTrails, which I use the following
curl command (Not mine, I found in a discord server) to find subdomains of their
main website.
curl -s --request GET --url https://api.securitytrails.com/v1/domain/target.xx.xx/subdom

| jq '.subdomains[]' | sed 's/\"//g' > target.xx.xx.txt 2> /dev/null
&& sed "s/$/.target.xx.xx/" target.xx.xx.txt | sed 's/ //g'
The script returns around 2k subdomains. I copied all of them to my excel and
filtered the duplicates.
Funny part, I still use excel to remove duplicates from my huge lists, I believe this is the
best and efficient way, at lest for me ;)
#3 HTTP Probing:
Now I have exactly 3154 unique subdomains, I copied them to my Kali machine and
ran the HTTPx against them, in return, I got 2892 urls in the basket that are ready
4 of 13 20-04-2023, 11:35 am
for further attacks.
URL List >> ParamSpider.py:
By far the ParamSpider by @0xAsm0d3us is considered as one of the best Parameter

fuzzer tools or miners whatever you call. I as well use Arjun by @s0md3v, but
honestly I feel a little more comfortable with PS.
Since my target is huge and ParamSpider by default supports only a single url (Do
not understand why you do this to us @0xAsm0d3us) so I had to find an alternate
way to achieve this.
I found a peace of script with my old friend. This script takes a list of urls and sends
it through xrags removes duplicates and gives you a list. However, I had some errors
while running, but the list a ready.
Scanning multiple urls/ list of urls using ParamSpider:
cat target.lst | xargs -n 1 -I {} python3 ~/ParamSpider/paramspider.py --domain {} --lev
The results ware shocking, I now have a whooping One million, seven hundred and
ninety six thousand, one hundred and forty nine (1,796,149) lines…
The file size itself is ~96mb. I tought its not a wise idea to run all of them through
BurpSuite or SQLMAP because the Kali and the host will eat-up a lot of resources
and eventually crash, so I decided to break the files into multiple smaller size files
of 10mb each and work on them one by one.
I setup my Burp Suite and started scanning the small list. I started to get a lot of low
5 of 13 20-04-2023, 11:35 am
hanging issues like open-redirect, CORS, and even a few XSS, but no high or critical
issues.
Note: A lot of readers asked me how it is possible to scan multiple urls in the Burp
Suite. Yes, its possible with Burp Suite Professional version, here is some more
information: https://portswigger.net/blog/launching-scans.
I didn't get major vulns in the first file, so I let the Burp to do its job on the second
file and took my wife and kids for a weekend dinner. When we return after 3–4
hours, the burp was still running but there was a red exclamatory icon was flashing
with issue type (SQL Injection).
The burpsuite finally found boolean based sql injection for me. I checked the server
and its Apache. sent the vulnerable url to repeater with multiple sleep queries like:
1'XOR(SELECT(1)FROM(SELECT(SLEEP(8)))a)XOR’Z, 1' ORDER BY 1--+ , 1 or
sleep(5) , but sadly I was getting a JSON message saying: “Success” from the server.
It seems the WAF/Server was doing some kind of sanitation of known SQLi payloads.
#4 First Breakthrough
I spent an hour trying different methods to see at least an error or execute sleep(),
nothing worked. The GET request didn't work, I decided to change the request to
POST and sent the simple payload 1=1' as a value for the parameter, and voila here I
6 of 13 20-04-2023, 11:35 am
got the following error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for the right
syntax to use near ‘’1=1'’))
Now I know the SQL Injection is possible on this site. Before moving to SQLMAP, I
wanted to see how many endpoints using this vulnerable parameter, so I extended
my search in the Kali and grepped the parameter “xxx”. I found only 4 out-of 2892
geographically based subdomains are using this parameter. When I open the links
to see if there is any forms or input fields, I was redirected to homepage. This
confirmed the page is not active anymore.
When I checked on archive.org, found a cached version that showed me the page is
kind of user experience enhancing suggestion page, most of them are in a alien
language, I left the archive.org and head back to my Kali VM.
#5 SQLMAP or Ghauri here is the Winner

I recently noticed SQLMAP is losing over the edge with Ghauri (https://github.com
/r0oth3x49/ghauri). Not a single time but more than 4–5 times when SQLMAP fails,
Ghauri get the exploit right within few minutes.
I copied the request into a file and run the SQLMAP with bare minimum -r
request.txt -p xxx — random-agent flag, it failed to find the exploit, I got multiple
errors, 500 4xx etc, but unfortunately SQLMAP failed me every time.
In my recent tweet I asked for a help from the community on a similar situation,
there were some good suggestions, but none of them worked here except the one
7 of 13 20-04-2023, 11:35 am
suggested to use Ghauri.
https://twitter.com/nav1n0x/status/1630627895952527361
https://twitter.com/nav1n0x/status/1630627895952527361
I sent the same request to Ghauri and here is the result. Ghauri took just 4 minutes
to find the exploit for time-based blind SQL Injection and Boole-based blind.
8 of 13 20-04-2023, 11:35 am
#6 Retrieving Database Name
Now the time to retrieve the database name to prove the exploit. I run the following
command:
ghauri -r xxx -p xxx - dbms=mysql - dbs
And here I have the nice beautiful xxx*** database name, which suggest the db is of
a production database.
I run Ghauri on entire endpoints, and received different database including staging
9 of 13 20-04-2023, 11:35 am
and uat endpoints.
#7 Retrieving banner and current-user
ghauri -r xxx -p xxx - dbms=mysql -D xxx**** - current-user -b
Winner:
SQLMAP — o | Ghauri — 1
#8 Retrieving Admin username and password hash

As now I have everything to prove the vulnerability, I wanted to go a little far with
this. I looked for tables in the main prod database and found the table called
10 of 13 20-04-2023, 11:35 am
“admin_****_****” following columns.
As the column p***_***_** is present, I know I can be the new owner of the database
:), but I just want the bounty not the database.
I run the following command to retrieve the password hash.
ghauri -r xxx -p xxx - dbms=mysql -D xxx**** -T a****_**** -C p***_**** - dump
11 of 13 20-04-2023, 11:35 am
aaand here it is. I know have the admin password hash and the password which
would let me own any of their database from 3 major eStore.
I humbly sent them a detailed report on my findings and my analysis, I got the reply
onSqlmap
Monday evening (time difference)
Bugbounty Writeup
asking to see if there are more vulnerable
Sql Injection
parts, but I couldn't find any.
Same night I got acknowledged about the acceptance of the vulnerability. They are
internally discussing about the bounty and possibly applying the fix. I reported 4
SQL Injections, 3 XSS and an open-redirect,
224 I’m
12 expecting a payout of minimum 4.5
K EUR.
That’s all.
Takeaways:
1. Always go for a larger scoped target.
2. Make use of GoSpider, ParamSpider and Arjun.
12 of 13 20-04-2023, 11:35 am
3. The Archive.org has more vulnerable endpoints cached then the live ones.
4. If the GET request didn't work, try POST and change the protocol to HTTP1/0 to
2/0 see if it helps.
Thank you for reading. Will comeback soon with another interesting story of
multiple Log4Shell findings on a major Sports goods manufacturer’s webapp.
13 of 13 20-04-2023, 11:35 am

How I Got Owned A Multi-Billion Dollar Retailer's MySQL Databases Using Simple SQL Injection by Nav1n? Mar, 2023 Medium

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How I Got Owned A Multi-Billion Dollar Retailer's MySQL Databases Using Simple SQL Injection by Nav1n? Mar, 2023 Medium

Uploaded by

Copyright:

Available Formats

How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...

Mar 9 · 9 min read · Listen

How I got Owned A Multi-Billion Dollar

SQL injection (https://www.flickr.com/photos/149561324@N03/34852913554)

I have a personal blog https;//www.nav1n.com where I used to write articles on

This is the story of an SQL injection I found on a Multi-Billion Dollar Retailer’s

The Enumeration Phase

Finding an SQL Injection

#2 Certificate transparency search:

At first, I started to enumerate the subdomains using certificate transparency tools

Sample netlas query to find certificates:

curl -s --request GET --url https://api.securitytrails.com/v1/domain/target.xx.xx/subdom

for further attacks.

URL List >> ParamSpider.py:

By far the ParamSpider by @0xAsm0d3us is considered as one of the best Parameter

Scanning multiple urls/ list of urls using ParamSpider:

cat target.lst | xargs -n 1 -I {} python3 ~/ParamSpider/paramspider.py --domain {} --lev

got the following error:

#5 SQLMAP or Ghauri here is the Winner

suggested to use Ghauri.

#6 Retrieving Database Name

ghauri -r xxx -p xxx - dbms=mysql - dbs

and uat endpoints.

#7 Retrieving banner and current-user

ghauri -r xxx -p xxx - dbms=mysql -D xxx**** - current-user -b

#8 Retrieving Admin username and password hash

“admin_****_****” following columns.

I run the following command to retrieve the password hash.

ghauri -r xxx -p xxx - dbms=mysql -D xxx**** -T a****_**** -C p***_**** - dump

1. Always go for a larger scoped target.

2. Make use of GoSpider, ParamSpider and Arjun.

You might also like

“admin__” following columns.

ghauri -r xxx -p xxx - dbms=mysql -D xxx** -T a_ -C p*_**** - dump