corben.io

corben.io


infosec write-ups and ramblings

Corben Leo
Author

Share


Tags


A Simple SQL Injection in an Air Force Website

Information is key. What sort of information could be in an Air Force Database?

Who would get hurt by that data? Who would it benefit?

In 2017, 17-year-old me easily gained access to an Air Force database.

Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP). I was looking at the Airforce subdomains and I decided to look for sites running PHP.

To do this, I used Google. If you use Google, you should know about Google Dorks. (If you don't, look them up!)

I looked up: site:*.af.mil + ext:php and site:.af.mil + filetype:php.

I got a ton of results and I visited one:

https://███.af.mil/php/███/███.php

It was a form that asked for an email. So, I entered an email and submitted the form:

https://███.af.mil/php/███/███[email protected]

I decided to try SQL Injection. The application is likely saving my email to a database.

So, I tried the following: https://███.af.mil/php/███/███.php?email='

The application responded with an error message that the email address was invalid.

So, I tried the following: https://███.af.mil/php/███/███.php?email='@hackerone.mil

This time I got an SQL error!

You have an error in your SQL syntax  

Sweet! It's MySQL! This application showed database error messages. Knowing this, I wanted to gain info through triggering error messages. Through MySQL's XML Functions.

The UpdateXML() function replaces an XML fragment and returns it.

UpdateXML('xml', 'xpath_expression', 'new replacement')

If the function is given an invalid XPath expression, it throws an error.

So, I came up with the following:

https://███.af.mil/php/███/███.php?email=' and updatexml(null,concat(0x0a,version()),null)-- [email protected]

XPATH syntax error: ':5.6.24-log'

I stopped here and I reported it to the Department of Defense's vulnerability disclosure program on HackerOne.

You can see the redacted report here: https://hackerone.com/reports/277380

Corben Leo
Author

Corben Leo

View Comments