#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection.

Avinash Jain (@logicbomb)
4 min readJun 6, 2018

--

Hi Guys,

One more interesting blog , one more interesting vulnerability that I managed to found out during my bugbounty hunt and it comes in India’s popular sports website and this is about “How I was able to exploit Host Header to find out SQL injection, bypassing rule using sqlmap tamper script and later on dump the database” . Let’s see what was the complete scenario —

While checking the application for bruteforce OTP vulnerability , I run the burp intruder on the site and found that my IP got blocked and I could see the error message thrown from which I could figure out that application was over AWS. Further I found that “X-Amz-Cf-Id” header set in HTTP response (which CloudFront adds to the viewer request before forwarding the request to the origin) -

Cloudfront header

and this was enough for me to decide that application is running over AWS. Now before directly jumping to check for some critical vulnerability, I always start from low hanging fruits (just to increase the list of vulnerabilities :) ) so I started with Host header attack , changed the host header value but it didn’t work. As I knew that application is over AWS so they must using ELB (elastic load balancer) so I tried the host header attack using X-Forwarded-Host header as below —

Added X-Forwarded-host header

Added X-Forwarded-Host header , set it to value to www.google.com and I got 302 redirection to google.com but when I set the value to www.evil.com , I got the below response-

HTTP 403 Forbidden

HTTP Forbidden with status code 403 and now something striked my mind. As it was clear that the application backend server must be having some whitelisting of host values (as it has allowed google.com but denied evil.com), now there are two possibilities either some script is checking it against array/list of allowed values or if they are storing the values in the database then there may be a Database lookup. So just to check the same , I tried some sql queries against the value of X-Forwarded-Host and this is what I got —

Time based SQL Injection in X-Forwarded-Host header

As you can see in the above screenshot, I gave a sql query with the sleep() of 10sec and time it took for HTTP response is 9.4sec. and yes , an unusual case of SQL injection in X-Forwarded-Host header :) and then the next task was to extract some DB content and as most usually I ran sqlmap over the vulnerable parameter and found that connection was getting refused , I decided to add the time delay to throttle HTTP requests and increase the connection timeout (--delay=DELAY --timeout=TIMEOUT and waited for some time but still I faced the same issue , might be some blacklisting of characters. To quickly check this , I entered “<script>alert(1)</script>” in the X-Forwarded-Host header and got the response with HTTP STATUS 400 — BAD REQUEST ERROR

The thing was pretty much clear, script tags, <,> character was blacklisted . SQLMAP provide tamper script — between.py to replace symbols (<,>) with “NOT BETWEEN”. So I included it in the sqlmap query , ran it and after some time I ended with the complete database of the enterprise containing sample level user credentials , email-ids and lots of more data — (For Proof of Concept)

Database Data

and this is how I was able to found an unusual case of SQL injection by bypassing Host header attack using X-Forwarded-Host in India’s Popular Sports company.

Report details-

03-May-2018 — Bug reported to the concerned company.

03-May-2018 — Bug was marked fixed.

03-May-2018 — Re-tested and confirmed the fix

05-May-2018- Rewarded by the company.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )

More where this came from

This story is published in Noteworthy, where thousands come every day to learn about the people & ideas shaping the products we love.

Follow our publication to see more product & design stories featured by the Journal team.

--

--

Avinash Jain (@logicbomb)
Avinash Jain (@logicbomb)

Written by Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc