Bug Bounty Show

let's move to the next session so as you know SQL injection is a very critical vulnerability so I would like to welcome kuldeep to explain the PHP or to iql injection attack please give our Round of Applause for kuldeep he is going to give a demo so as hermana is given so it's gonna be interesting hello everyone good morning on this beautiful Saturday and evening today my topic is going to be PHP execute after redirect to SQL injection and how this vulnerability landed me a total of ten thousand dollars in bounties so before we start I'll I'd like to tell a bit about myself chapter leader I've been actively volunteering there since 2018. uh I'm a chapter leader now I was the volunteer before uh I currently do full-time full-time bug Bounty at Senator credit team um uh I was a SRT hero in last year's recognition program and you uh most I guess most of you may know me from my blog which is kuldeep.io so before we go to the SQL injection part I'd like to explain a bit about PHP execute after redirect vulnerability so uh so you usually uh I guess most of you may have seen this these kind of vulnerabilities but uh when I say ER not all of you may uh understand what is ER so er basically stands for execute after redirect it it basically occurs when uh when an exit call is not followed by a header call so usually what happens is when uh when validating sessions uh when valid ratings are usually valid when validating sessions in PHP uh there is a header called that they say that let's check if the user is authenticated or not if the user is authenticated then uh then we we forward it to the dashboard or whatever we want if the user is not authenticated then we redirect him to the login page so uh usually what happens is directly after the header header call we we have to provide exit call so that the remaining script does not execute so this is what the code looks like in a secure implementation you can see that there is a headache or the first the if condition checks if the username is a variable is right if the username variable is set means the user is authenticated but in this condition it checks that if the username variable is not set then it will redirect him to the login page but here after this header call there is a there is an exit call what this means that if there is some there is some code after this PHP tag let's say there is some dashboard or admin panel or something like that then it will not execute because the phbase script has been executed exited using this exit call but in this vulnerable configuration what happens is there is an exit call this call is missing so if there is some admin panel or dashboard or anything like that it will continue to execute so how do you detect these kind of vulnerabilities so usually you you can detect this while doing fuff or checking the responses so when you check that when you check in Bob suit you can see that some three 300 uh sorry three excess responses have a response body you you have to check that that response word is something sensitive or not so this thing you have to do manually uh if the content length is usually unusually large like the let's say that content is uh 2000 lines long then there is a there is something fishy going on uh if you use buffer professional then it will automatically find these kind of issues for you it will tell you that okay the this content length is unusually high so you may want to check it so here in this demo you can in the screenshot you can see that there is this uh there is this DB DB dot PHP file that is returning 200 but that is fine 200 uh 200 responses are meant to have some responses but there is there is an esearch.php file that is returning three or two and its size is two two five double one which is quite large Com when compared to 302 responses so the vulnerability I found went like this that I I use I I use fluff to find P all the PSP files and when I found when I found the PHP file that was uh so quite sensitive I I actually found this esa.php file and it had quite large content when I visited it it redirected me to index.ph so sorry login.php so I had to log in but uh but it had some contents in it so what I did was I did a match and replace role in burp Suite ah so it it basically removes the location header entirely so I was not redirecting anywhere and the content was basically rendered into the browser so uh after that after that esa.php page was found and the content was rendered I saw Employee Service page so if I search for an employee name it will uh it will search in the database and the and the employee name will be returned that okay this employee is is part is in the database but in that search space that was an SQL injection and uh from there I just ran SQL map and got a bounty of 9903 dollars now I'd like to show you the demo here I have prepared the demo just for this presentation so uh there is this B-side dot IO website this is live at this moment so if you want to perform along with so you can also do that so when we visit this uh it it redirects us to the this index.php which is just a basic sign in page so we go to here now we first all the PHP files so after fuzzing the PHP files we we get the db.php and index.php and along with that we find an esert.php so we go and we go and visit the eset.php file but it again redirects us to the login page that you can see here the location is index.php here so now what I did was that I I took this header and removed it entirely from the uh from the response headers so I added this match and replace rule that remove this location index.php header from all the response headers so after doing this now now this time when we uh when we visit eser.php we will not be will not be redirect to login page now we directly see the employee employee search page now here I search Dom exercise and it tells us that employee employee Dom access was not found but if we provide and single provide a single code then it it gives us the SQL error if you provide a two single quotes then the error is gone the main conforming our SQL injection so now I directly through this entirely into SQL map and the SQL map will do the job for us so now as you can see here the SQL injection has been confirmed by SQL map and we are going ahead with the dumping the databases here we see the database which is named B sites now we go on with dumping all the tables there is a login table now once we dump the login table we see the username is admin and the password is admin123 so basically this was the demo thank you so much for your time an equation you have for kuldeep all right great thank you so much Huli for the very informative session