Professional Documents
Culture Documents
I Earned $3500 and 40 Points For A GraphQL Blind SQL Injection Vulnerability. by Nav1n? Mar, 2023 Medium
I Earned $3500 and 40 Points For A GraphQL Blind SQL Injection Vulnerability. by Nav1n? Mar, 2023 Medium
I Earned $3500 and 40 Points For A GraphQL Blind SQL Injection Vulnerability. by Nav1n? Mar, 2023 Medium
Search Medium
nav1n�
� Following
Save
After my first post, a lot of you asked me to continue writing, but honestly its not
possible for me as I’m doing a full-time job from 8Am until 6Pm, and reach home at
7.30 and then gym, its a bit difficult for me, but I’m planing to write something on
weekends to help the community of white-hat hackers.
1 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
Image © https://www.invicti.com/blog/web-security/how-blind-sql-injection-works/
So, today its already a weekend, I sat for a couple of hours and back with a write-up
of another impactful yet easy SQL Injection that I recently discovered in a Private
target’s web-app.
The target was a private invite, however, its very popular with a lot of white-hat
hackers and lot of them already tried their hand-on. When I received the invitation I
noticed the target is already on the BugCrowd for more than 2 years with over 250
bugs discovered and rewarded so far. As I clicked on Accept Invite button, I already
knew that its not easy to find even P3 bugs, let alone P1 or P2, but I also knew that, I
have to be creative and think out-of-the-box to find something that no-one else ever
discovered yet.
As the target present in the each and every country worldwide, I knew its easy to
find the TLDs using certificate transparency (CT) services, so I opened the main
website target.com from my Firefox to find the Organization name in the SSL (as in
the example screenshot below) and copied it.
2 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
Its worth noticing that most organization register their SSL certificate under the
Organization name like “Twitter, Inc”. So when searching for subdomains or ccTLD
domains , make sure you search using the Organization name.
Next, I used netlas.io and crt.sh to find every possible ccTLD domains under this
Organization. After combining the both results, there were than 7k results including
subdomains. After filtering them, I left with around 64 (What???) endpoints to
target.
I sent the list through ParamSpider using following command with — subs False flag
to exclude subdomains.
ParamSpider took its time and returns around 20k lines of urls, I removed the
garbage data to have a final list of 12k good urls.
3 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
I started inspecting the parameters and urls, but sadly found that most of them are
similar links to their product page like this: https://www.target.co.xx/en/xxxx
/category2/men/t-shirts.xxx?n=xx&s=xx&ww=xxx and those were no use for me, as the
same parameter present in more than 10k urls, I test a couple of them for SQL
injection and XSS, and found they were not vulnerable.
I filtered all those product urls and made a good list of around 1.6k urls.
Nuclei Scanning
As I wanted to probe the technology behind those list, I sent them through Nuclei
default scan.
In a few seconds, I had the results. Out of many, the following result caught my eye.
One of the country TLD uses GraphQL, but looks like there’s a misconfiguration in
the GraphQL.
4 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
However, for Burp Suite the issue is Tentative, so I’m not sure if there is an SQL
Injection vulnerability present or just a false positive.
5 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
I decided to take things on my hand and go for a manual attacks, because I trust
Burp Suites ability to find such vulnerability, it cant be a false-positive. And forget all
other endpoints until I confirm the SQLi is not possible.
After spending an hour I finally captured the full query that used to GET/ POST user
“gender” data. The query accepts 3 keywords “M,F,NA”. The keywords are short for
Male, Female and Not Applicable.
{
"query":
"query ($_key***_0:String!, $_***_0:Int!) {*****
(keyword:$_key***_0, ****:$_***_0){ key***_text, number_of_result,
number_of_uses, ***_id, gender_cd, url }}",
"variables":{
"_key***_0":"M",
"_***_0":"1"
}
}
6 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
From the Nuclei scan I know the app uses PHP and it is running on Apache, I started
sending MySQL Sleep payloads. I hit the jackpot when I sent, the server delayed
response for 10.121 secs and confirmed the vulnerability using multiple payloads
with different time delays.
XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z
I felt so relieved after seeing the server delaying the response based on the query I
sent. In fact I wanted to stop working on the target out of frustration when things
didn't work, but eventually focus , determination
304 4
and hard work paid off.
I immediately prepared the report and submit it. I even asked traiger if he wants me
to run SQLMap to see if I will be able to gather host-name/database or current-user,
but they said they will consult the client and advice, however, the report was triaged
as Blind SQL injection and target paid me $3500 for the effort + 40 points :)
That’s all for today, thank you for reading. Will soon back with another good finding.
I think I should write a blog on my Log4Shell findings, please let me know if you are
interested.
7 of 8 20-04-2023, 11:42 am
I Earned $3500 and 40 Points for A GraphQL Blind SQL Injection Vul... https://medium.com/@nav1n/i-earned-3500-and-40-points-for-a-graphql...
8 of 8 20-04-2023, 11:42 am