#2. Bug Bounty POC: Time-Based SQL Injection to Dump Database
Helloš and welcome, fellow cyber explorers!. Today, Iām excited to share my latest write-up on time-based SQL injectionš, where Iāll walk you through the method of extracting data from a database through Time-Based SQL Injection.
Description:
Time-based SQL injection is a type of SQL injection attack where the attacker manipulates the SQL query execution time to infer information from the database. Unlike traditional SQL injection attacks that directly return data in the response, time-based attacks exploit the delay in server response caused by specific SQL query constructs.
Impact of Time-Based Blind SQL Injection
- Data Extraction: Attackers can use time-based techniques to extract sensitive data from the database slowly. By injecting carefully crafted queries that introduce delays, they can retrieve information character by character, such as usernames, passwords, or other confidential data.
- Database Discovery: Through time delays, attackers can gain insights into the database schema and structure. They can use this information to understand how the database is designed, the types of tables, and potentially the relationships between different data entities.
- Denial of Service (DoS): Time-based SQL injection attacks can also be used to degrade the performance of the database or the application itself by causing excessive load. By injecting long-running queries, attackers can impact the responsiveness of the system and many more.
Letās start ā¦
So, I was testing an Android application for one of the program. Iāve reported different findings with the app, but I thought to write an article on this vulnerability.
At first I installed the app and tried to login but the application was not allowing me to login and thrown me an error of āSomething Went Wrongā, this happened because of SSL pinning. Then, I used the Frida to bypass the SSL pinning which was half way bypassed but still there was okhttp3 related pinning which I was unable to bypass it.
When I checked the http history in Burpsuite, there was the login request with few other API requests.
Steps to Reproduce:
- The activity which caught my attention is the EMP_ID parameter after trying to login using the random values.
2. The discovered endpoint was /api/business/business_kpi which was having the employee ID parameter.
3. There I tried to add the ā ā ā, where it gave 500 Internal server error.
4. Then I added EMP_ID=3710+AND+1=0 ā , I noticed that in response the data is changed by adding.
5. By checking the behavior, further I used SQLMAP with the burp POST request, I got the below vulnerable payload which I tried in burp request and observed a delay as shown in the screenshot below.
Vulnerable Payload: EMP_ID=4727 AND 4900=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR(105)||CHR(105)||CHR(113),5)&LEVEL=UH&UNIT=BHAG
9. To retrieve the information, I saved the burp request and run the SQLMAP using below command.
sqlmap -r burprequest.txt -technique=T ā dbs
By using the tool, I was able to retrieve the database and further sensitive information.
sqlmap -r burprequest.txt -technique=T -D <database_name> ā tables
Further, I tried extracting the details within the databases.
sqlmap -r burprequest.txt -technique=T -D <database_name> -T ā columns
At last I reported the vulnerability to the program with all the details and impact. Looking at the criticality the program responded back and within a day they fixed the issue.
NOTE: Extracted data was deleted ;)
So, thatās it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.
If you found it useful, please click the button šand share it with others who have similar interests! + Feedback is always appreciated!!š