Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to tap and successfully use the SQL injection loopholes in the host head of the Popular Sports website. the article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

The following is the complete process of "how I use the host header to find SQL injection vulnerabilities, and use sqlmap tamper scripts to bypass the rules and dump the target database."

When I tried to check the application for explosible OTP vulnerabilities using the burp intruder module, I found that my IP was blocked immediately, and from the error message returned, I could almost conclude that the application was using AWS. In addition, I found that the "X-Amz-Cf-Id" header was set in the HTTP response (CloudFront adds CloudFront to the viewer request before forwarding the request to the original request), which confirms my judgment.

Now, let's start testing for possible vulnerabilities. Testing is a lot of work, and we can't let it go anywhere easily. Let's start with the mainframe. I changed the value of the mainframe head, but it didn't work. Because the application runs on AWS, they must have used resilient load balancing (ELB), so I decided to add X-Forwarded-Host to try to attack the host header. As follows-

I set it to www.google.com and redirect 302 to google.com, but when I set this value to www.evil.com, I got the following response-

You can see that the status is displayed as 403 Forbidden. Obviously, the application's back-end server must have set up some whitelist of host values (because it allows google.com but denies evil.com). There are now two possibilities. One is that the script checks against an array / list of allowed values. Second, they store the values in the database, so that there will be a database search process. So, I tried some sql queries for X-Forwarded-Host values, as follows-

You can see that I set the delay injection statement to execute for 10 seconds, while the HTTP response time is 9.4 seconds, which is enough to prove that there is a SQL injection vulnerability in the X-Forwarded-Host header. The next task is to extract the data from the target database. I usually use sqlmap to assist me here, but unfortunately the sqlmap connection is rejected. I tried to add the-- delay and-- timeout parameters to limit the HTTP request and increase the timeout, but the connection was still rejected, which I suspect has something to do with the character blacklist.

To verify my guess, I typed a XSS test statement "alert (1)" into the X-Forwarded-Host header, and sure enough, the response was HTTP STATUS 400  -  BAD REQUEST ERROR

Obviously, script tags and characters are also on the blacklist. A tamper script for between.py is provided in SQLMAP, and I replace () with "NOT BETWEEN" and include it in the sqlmap query. After running for a period of time, I successfully obtained the data in the target database, including user credentials, email-id and other information.

The above is the editor for you to share how to explore and successfully use the Popular Sports site host head SQL injection loopholes, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.