I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

Open in app Get unlimited access

Search Medium

nav1n�
� Following

Mar 11 · 6 min read · Listen

Save

I Earned $3500 and 40 Points for A GraphQL

Blind SQL Injection Vulnerability.
Thank you for your love and appreciation for my recent blog post on MySQL SQL
Injection that I found in a major international retail company.

After my first post, a lot of you asked me to continue writing, but honestly its not
possible for me as I’m doing a full-time job from 8Am until 6Pm, and reach home at
7.30 and then gym, its a bit difficult for me, but I’m planing to write something on
weekends to help the community of white-hat hackers.

1 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

Image © https://www.invicti.com/blog/web-security/how-blind-sql-injection-works/

So, today its already a weekend, I sat for a couple of hours and back with a write-up
of another impactful yet easy SQL Injection that I recently discovered in a Private
target’s web-app.

The target was a private invite, however, its very popular with a lot of white-hat
hackers and lot of them already tried their hand-on. When I received the invitation I
noticed the target is already on the BugCrowd for more than 2 years with over 250
bugs discovered and rewarded so far. As I clicked on Accept Invite button, I already
knew that its not easy to find even P3 bugs, let alone P1 or P2, but I also knew that, I
have to be creative and think out-of-the-box to find something that no-one else ever
discovered yet.

SQL Injection In the GraphQL Query

The target had a huge scope, but subdomains were not in the scope. The scope was
like target.*. I found it interesting as it covers a wide range of ccTLDs (ex:
target.co.uk, target.it, target.ae, target.co.in, target.com etc).

As the target present in the each and every country worldwide, I knew its easy to
find the TLDs using certificate transparency (CT) services, so I opened the main
website target.com from my Firefox to find the Organization name in the SSL (as in
the example screenshot below) and copied it.

2 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

Its worth noticing that most organization register their SSL certificate under the
Organization name like “Twitter, Inc”. So when searching for subdomains or ccTLD
domains , make sure you search using the Organization name.

Next, I used netlas.io and crt.sh to find every possible ccTLD domains under this
Organization. After combining the both results, there were than 7k results including
subdomains. After filtering them, I left with around 64 (What???) endpoints to
target.

HTTP Probing and Parameter Discovery

I copied the list to my Kali VM and send the list through httpx and after probing, I
left with 57 live endpoints.

I sent the list through ParamSpider using following command with — subs False flag
to exclude subdomains.

cat targets | xargs -n 1 -I {} python3 ~/ParamSpider/paramspider.py --subs False --domai

ParamSpider took its time and returns around 20k lines of urls, I removed the
garbage data to have a final list of 12k good urls.

3 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

I started inspecting the parameters and urls, but sadly found that most of them are
similar links to their product page like this: https://www.target.co.xx/en/xxxx
/category2/men/t-shirts.xxx?n=xx&s=xx&ww=xxx and those were no use for me, as the
same parameter present in more than 10k urls, I test a couple of them for SQL
injection and XSS, and found they were not vulnerable.

I filtered all those product urls and made a good list of around 1.6k urls.

Nuclei Scanning
As I wanted to probe the technology behind those list, I sent them through Nuclei
default scan.

In a few seconds, I had the results. Out of many, the following result caught my eye.
One of the country TLD uses GraphQL, but looks like there’s a misconfiguration in
the GraphQL.

Burp Suite Scan

When there’s a hint, I always confirm it through Burp Scanner. Same here, I sent the
urls to Burp and start the active scan. Few minutes, bingoo, Burp found a potential
SQL injection with the query when a single quote (‘) was submitted in the request
body. The server responded with “500 Internal Server Error”.

4 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

However, for Burp Suite the issue is Tentative, so I’m not sure if there is an SQL
Injection vulnerability present or just a false positive.

SQLMAP and Ghauri Couldn't Find The Injection

I copied the request and send it to SQLMAP and Ghauri but both couldn't find any
injections.

5 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

I decided to take things on my hand and go for a manual attacks, because I trust
Burp Suites ability to find such vulnerability, it cant be a false-positive. And forget all
other endpoints until I confirm the SQLi is not possible.

Finding Right GraphQL Query

I open my Burp Community edition on another screen and sent request to the
vulnerable URL and started to capture the request to analyze the way it responds to
different type of queries.

After spending an hour I finally captured the full query that used to GET/ POST user
“gender” data. The query accepts 3 keywords “M,F,NA”. The keywords are short for
Male, Female and Not Applicable.

The example query is as below:

{
"query":
"query ($_key***_0:String!, $_***_0:Int!) {*****
(keyword:$_key***_0, ****:$_***_0){ key***_text, number_of_result,
number_of_uses, ***_id, gender_cd, url }}",
"variables":{
"_key***_0":"M",
"_***_0":"1"
}
}

Finding Blind SQL Injection

Once I had the right query I started playing with it and started sending different
payloads.

6 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

From the Nuclei scan I know the app uses PHP and it is running on Apache, I started
sending MySQL Sleep payloads. I hit the jackpot when I sent, the server delayed
response for 10.121 secs and confirmed the vulnerability using multiple payloads
with different time delays.

XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z

Graphql Vulnerability Sql Injection Bug Bounty Bug Bounty Writeup

Bug Bounty Tips

I felt so relieved after seeing the server delaying the response based on the query I
sent. In fact I wanted to stop working on the target out of frustration when things
didn't work, but eventually focus , determination
304 4
and hard work paid off.

I immediately prepared the report and submit it. I even asked traiger if he wants me
to run SQLMap to see if I will be able to gather host-name/database or current-user,
but they said they will consult the client and advice, however, the report was triaged
as Blind SQL injection and target paid me $3500 for the effort + 40 points :)

That’s all for today, thank you for reading. Will soon back with another good finding.
I think I should write a blog on my Log4Shell findings, please let me know if you are
interested.

7 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...

I’m on Twitter if you wish to follow me :)

8 of 8 20-04-2023, 11:42 am