I learned a new SQLMap trick that may get your reports accepted faster!
Details in the thread.
👇
#bugbounty #hacking
1/n
Details in the thread.
👇
#bugbounty #hacking
1/n
SQLMap supports a `--test-filter` flag. This flag tells SQLMap to test for payloads that match a specific pattern.
2/n
2/n
For example, if the flag is set to "boolean-based blind", then SQLMap will only test for payloads that match the "boolean-based blind" string. Meaning, SQLMap will test for payloads like "AND boolean-based blind - WHERE or HAVING clause" etc.
3/n
3/n
Let's see this in action. For this test, I have chosen @websecacademy's most basic SQL injection lab.
Normally, you would manually confirm the SQL injection and then use SQLMap for data retrieval.
4/n
Normally, you would manually confirm the SQL injection and then use SQLMap for data retrieval.
4/n
The SQLMap command looks like this:
sqlmap -u https://lab_host/filter?category=Food+%26+Drink -p category
5/n
sqlmap -u https://lab_host/filter?category=Food+%26+Drink -p category
5/n
SQLMap identified the injection with 49 requests. Not much for a basic lab, but real apps can range from a few hundred to a few thousand.
It can take even more time when the DBMS is unknown and/or you use a higher SQLMap level (e.g. `--level=5`).
6/n
It can take even more time when the DBMS is unknown and/or you use a higher SQLMap level (e.g. `--level=5`).
6/n
Once identified, the next strategy is to dump a few rows from the database as proof of data retrieval and then we go ahead and report the issue.
7/n
7/n
However, let's assume that the SQLMap identifies the issue after 5000 requests, and it takes about 20 minutes to detect. If you submit the report with the same commands that you used to identify, it will take the triager 20 minutes to detect the vulnerability.
8/n
8/n
You can speed up this process by providing the triager with the exact test case that will detect the vulnerability and will be used to dump the database. This can lower down the number of requests sent from 5000 to only a few hundred.
9/n
9/n
You have validated the issue with SQLMap and you already know that the target is running PostgreSQL and it is vulnerable to a "Generic UNION query (NULL)" injection.
10/n
10/n
For your report, you can provide the triager with an SQLMap command like:
sqlmap -u https://lab_host/filter\?category\=Food+%26+Drink -p category --test-filter="Generic UNION query (NULL)"
11/n
sqlmap -u https://lab_host/filter\?category\=Food+%26+Drink -p category --test-filter="Generic UNION query (NULL)"
11/n
In the screenshot, you can see that we reduced from 49 requests to 22 requests for detecting the SQL injection. It may not look much, but it is significant when the SQL injection requires 5000 requests to detect, and you make the SQLMap detect it in a few hundred requests.
12/n
12/n
This saves a lot of triager's time and reduces the time required for you to get those sweet bounties.
13/13
13/13
جاري تحميل الاقتراحات...