Google dorking to SQL injection - Cybersecurity Contrib...
1 of 9
C
Cybersecurity
Contributions
CyberSec
Zixem Challenges
TryHackMe write-ups
TryHackMe SQL Injection Lab
SQLi Collected Cheat Sheets & writeups
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
Search…
⌃K
Google
dorking
to SQL
injection
Portswigger � SQLi Labs
Riddler CTF Challenges
Cyber Apocalypse CTF 2022
Web Challenges
CyberStarters CTF Challenges
SQLi Filter Bypass 101
Order By SQL Injection
Black Hat CTF Web Challenges
�2022�
B U G H U N TI N G
Google dorking to SQL injection
Greetings Hackers, In
this write-up I'll declare
how I found boolean
based SQL injection on a
Microsoft Server web
app from google dorking,
So let's start.
The program I'm talking
about is a private program
so I will refer to it as
vuln.com .
Getting The Subdomain
Powered By GitBook
After using tools like
amass and subfinder I
got some decent results,
however I wanted to use
google dorking, more
specific Bing Dorking. I
used the following dork:
domainName+inurl:adm
in in my case:
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
2 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
vuln+inurl:admin
notice that I didn't use the
tld to get more and non
exclusive results. The
purpose of this dork is to
search for admin keyword
in any URL related to the
domain so I could get any
exposed admin panel.
In the first page I found
the following:
I've found this subdomain
before by using the tools I
mentioned, but I didn't get
anything except the main
page, even after
performing directory
search I didn't reach this
path. And here lies the
power of dorking.
Mapping The Site
When I entered the page
it was a normal HTML
page with no
functionalities. Before
trying anything I thought
of accessing the parent
directory which is
/arcgis and I got
redirected to the following
page :
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
3 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
Directory indexing that
reveals most of the
services + the current
version of ArcGIS REST
, Nothing sensitive here
so I decided to search
with the current version
for any CVEs and I found
that It's actually
vulnerable to CVE
2012-4949 that says that
this version is vulnerable
to SQLi in the where
parameter in the following
URL�
/arcgis
/rest/services
/{ServiceName}/query?f=json&
where=featured=true&
returnGeometry=true&
spatialRel=esriSpati
alRelIntersects
The main problem here is
that there were a lot of
services and each one
has other branching links
and it was frustrating to
search in every section.
So I used hakrawler
which is a web crawler to
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
4 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
get me most of the links
hoping to find any service
that makes use of the
query endpoint
echo
"http://sub.vuln.com
/arcgis/rest/" |
hakrawler -d 4 -subs
-u and it got me this
Bingo
Analysing The
Parameter
When I went to the URL I
found this page :
I can see input field for
the vulnerable parameter
which is a good sign, The
CVE didn't contain any
info nor exploits, It only
said the the parameter
was vulnerable.
So I tried the very basic
payload to analyse It's
behavior .... a single quote
'
Seems a promising result,
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
5 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
Now let's try to cope with
the query logic. We all
know that where
statement usually deals
with boolean values , for
example where
user='admin' right ?
what if we add this to our
query
From this detailed error
we can notice that we are
dealing with SQL Server
and also no column called
user. There was a
parameter called f which
specifies the format of the
response , so let's set it to
json and use burp for the
ease of illustrating and
exploiting
Here we go ...
Now .... since we don't
know any column name,
what about entering a
true value like 1=1 so the
whole query is translated
to where 1=1 :
Response of 1�1
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
6 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
Let's change the
condition to a false one
like 1=2 :
Response of 1�2
This is confirmation of
Boolean based SQLi as
the response changes
with changing the
condition.
I didn't want to report it
this way as I wanted to
extract actual data.
Exploiting The
Parameter
Now we know that we are
dealing with MSSQL and
I'm not really good with it
so I used
PayloadsAllTheThings and
Portswigger CheatSheat
to conduct my payload.
I found that
user_name() is quite
good enough to be a POC
, the main syntax is as
follow:
SELECT user_name()
First I need to determine
it's length, since we are
dealing with boolean
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
7 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
based we will depend on
the response to know the
length
Request
Response
After not so long tries I
found that the length is 8.
Now to get the actual
value of it, I used
SUBSTRING() function
as follow:
query?where=SUBSTRING((select+user_name
This will select the
user_name() and then
gets the first character of
it and compares it with
the provided character. To
get the values I would
send the request to the
intruder and brute-force it
8 times BUT I'm kind of
person that always wants
to mess with things and
break them down, so I
thought of providing a
digit instead of character
to see what happens:
Response
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
8 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
Request
This was really surprising
for me, The DBMS
actually responded with
the character value due to
conversion error, so
instead of brute-forcing
the rest of the characters
I changed the payload to
be :
query?where=SUBSTRING((select+user_name
This will get the first 8
characters because it's
the length of the
username and the result
was:
Got the username of the
database, other things
could be extracted like
version , tables
names , etc ... but I
stopped here, I reported it
as high severity but the
triage team changed it to
critical.
Final
shout out to
�GodfatherOrwa for his
tip about using bing
dorking.
As a final tip from me,
3/18/23, 10:33
Google dorking to SQL injection - Cybersecurity Contrib...
9 of 9
https://khalid-emad.gitbook.io/cyber-sec/bughunting/go...
Don't always rely on tools.
I've passed the request
the first time to SQLMap
and it said that the
parameter wasn't
exploitable.
Previous
Riddler CTF C…
Last modified 23d ago
3/18/23, 10:33
