My write-up in hacking IBM’s administration panel and getting SQLi on it

Hi hackers and hunters!

Welcome to my new write-up in my Bug Hunting Journey, today’s write-up will be unique, because here I’ll show you how i was able to takeover the administration panel of IBM and escalating this to SQL Injection, so let’s start.

What this write-up includes ?

  • Some tips & tricks in shodan recon
  • One of my methodologies to achieve Broken Access Control vulnerabilities
  • Impact escalation guide
  • SQL Injection Basics
  • SQL Injection in Java Based Applications

First you should know that achieving the vulnerability — even if it was critical — is not enough, always try to do some escalations in order to be from the elite hackers!, so first i wanted to start my recon in IBM corporate via shodan IoT search engine, so i wanted to know what is the ‘Organization name’ in the SSL certificate of IBM, you can do this by a lot of methods, for example doing it manually by checking the SSL certificate from the browser like this:

Or using a web based tool for example like: SSLShopper, then the results simply will be like this:

You may ask why i should know the SSL organization is very important to us while doing some shodan recon ? the answer simply because shodan is a huge Internet IoT Search Engine, so it monitors and scans tons of IPs and domains every day, so you should filter / sanitize your search results in order to avoiding wasting time. So now we knew that the organization name of IBM is: ‘International Business Machines Corporation’, so let’s perform some shodan dorking, first we’ll do a free shodan dorking by specifying the company without searching for a specific domain or IP using the dork:

ssl:"International Business Machines Corporation"

So after surfing the results i get access to the target:

For the first time you can say, what the proof which makes this host is owned by IBM ? simply try searching deeper, so first what ports is appeared here in shodan ?

  • 80 -> HTTP
  • 443 -> HTTPS

Good, so that means we can search in the SSL Certificate of this IP Address right ? yeah, so let’s start some manual SSL Digging:

And as you can see here the ‘Organization name’ is for IBM Corporation, now let’s enter this host to identify our testing environment:

Hmm, so for the first time you will leave this host because it contains a default server page right ? So what if i told you that the most critical vulnerabilities was found in cases like this, here is some reasons why to hunt / test vulnerabilities in servers got default pages :

  • Some server functions which contains logs for example maybe enabled because the developer doesn’t disable it yet or maybe forgot because this means that 80% to 90% this server is a new. ex: /server-status/
  • In most cases the developers save their under-development projects here which could contains: hard-coded credentials, leaked secrets, usage of insecure functions ..etc. so you can simply achieve them from here.
  • Pages like this got the versions exposed, so you can check if this server got a CVE or not.

And a lot of other reasons. So i did some directory fuzzing in order to map this application till i got an a sensitive endpoint — can’t mention the endpoint name due to IBM policy — so after entering this endpoint i got the following :

Before starting my testing i wanted to know what technology this web application working with, so i perform this through wappalyzer extension like this:

Getting back to the panel i see there is no — Critical — impact right now, i just able to list all the users in the system, but i want to achieve more impact here, so first at this point i started making some parameter fuzzing using arjun tool, till i got an a parameter named: client_id so i tried give this parameter an id and see how the application will deal with it:

And as you can see once i give it an a value, i get three functionalities here:

  • Adding a user
  • Editing the user
  • Deleting the user

So i wanted to add myself for giving a PoC for this BAC (Broken Access Control), and i did:

But here in this exploit i got a trick, this application was under-development, so if you put an a client_id used by another client the application will give you an error message, so if you face a situation like this and you wanna perform a Successful BAC PoC what should you do ? in my case i use the enumeration, getting back to the users list page:

I enumerate the client_id parameter by Burp Intruder and once i match an a user not found error i took the id and assign my self with, see ? It’s very simple.

So now when i took a look in the client_id and as we know this web application works with Java , So i imagined that the the SQL being parsed in the Back-End like this:

So i tried to inject the payload:

1'/**/or/**/1=1;--

In order to dump the whole clients from the database, but before continue we should know why this happened, first the injected code will be in the Back-End like that:

Let me show you how this works:

SELECT uname FROM users WHERE client_id = 1;
  • This SQL Query now tells the SQL Interpreter to select the username which stored in the database, but only return it if the client_id equal for example client_id number one.

Let’s now explained in more advanced way:

String uid = request.getParameter("client_id");String query = "SELECT uname FROM users WHERE client_id = " + uid;
  • Now this is a Java source code, the first line tells the application to create a request GET based parameter named: client_id , so for example if you wanna put your id to retrieve your Info’s the URL will be like: example.com/index.jsp?client_id=1
  • The second line of code parse the parameter explained in an SQL Query, so if you type any string in the parameter it will be parsed to the SQL DBMS directly, for example if you put the client_id like that: exmaple.com/index.jsp?client_id=1 the SQL Query will be executed like that: SELECT uname FROM users WHERE client_id = 1

Now let’s get into the exploit, why always 1' or 1=1;-- wins ? simply because of the boolean data if you familiar with programing you should know that 1=1 simply is a true because the integer 1 equals the integer 1 but if we say 1=2 simply it’s false because the integer 1 doesn’t equal the integer 2 . So when i enter the payload:

1' or 1=1;--

Here I told the database to give me the info’s of client which get the client_id 1 or true, and true here means: all the client id’s exists in the database, so simply it will retrieve all the info’s of all clients, I hope i explained it in a simple way.

Then the query is really works!! and it gives me the whole users info exist in the database:

Finally i want to retrieve the data so instead of enumerating and trying a lot of SQL Payloads, I always say:

Work smart not hard

So i used the SQLMap to help me doing this. I used the following command:

sqlmap -u "https://example.com/vuln.jsp?client_id=1" --dbs --hostname --current-user --risk=3 --level=5 --random-agent

What this sqlmap command do ?

  • -u -> to specify the URL
  • --dbs -> to dump the databases exists
  • --hostname -> to retrieve the server’s hostname
  • --current-user -> to extract the current DBMS user
  • --risk -> risk allowed the whole types of payloads in sqlmap to run, the default value is 1
  • --level -> level used to specify the number of checks that sqlmap do, the default value is 5
  • --random-agent -> to randomize the user agent from the SQLMap user agents list, because sqlmap uses the user agent (the version may be changed):
sqlmap/1.3.11#stable (http://sqlmap.org)

Which may caught by the firewalls or be detected by the blue teams.

Then finally i was able to dump the database and the report has been resolved:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Momen Ali (Cyber Guy)

Momen Ali (Cyber Guy)

Penetration Tester | Bug Hunter | Cyber Security Instructor | CTF Dev & Player