Updated: Feb 9
Hi everyone, in this simple tutorial I will describe how I was able to find an SQL injection Vulnerability and OTP bypass via response manipulation.
Let me tell you something about the target first, The application was intended to block services of a stolen device of a particular region. So if we have proof like police complaints, IMEI numbers, and some details about where it was lost, then we can file a report in that app and block our device until it is found, and similarly, if we found our phone, we can simply request to unblock it from the same application.
In the first place for using it's services, the application asks for a mobile number for user authentication. When I entered the correct OTP and checked the Response to this Request. It was very simple HTTP/1.1 200 OK and “valid” Then I thought of Bypassing OTP verification
So for it, I entered another number I got the otp but this time I entered the wrong OTP and submitted it by capturing the request into Burp, I did Do intercept response to this request and then checked the Response it was "Invalid" I changed it to "valid"
After Forwarding the Response, I noticed that the Mobile Number was verified
So this was a simple case of OTP bypass by response manipulation
Now let us move towards SQL vulnerability
The Vulnerable URL was the one that was used to find the model of the device by entering the last 8 digits of the IMEI number.
This was the Request I got from Burp :
GET /Request/tacinfo.jsp?Tac=12345678 HTTP/1.1 Host: xxxx.com Content-Type: XYZ Origin: https://www.xxx.com Connection: close
I saved the Request into the a in .txt format
Then ran my sqlmap
sqlmap -r filename.txt --dbs
I got some cool stuff where I got the database
and I tried to get more than the DBS, I tried to check the table first using:
sqlmap -r filename.txt -D xxx --table
I found a lot of tables, Then I tried to get the columns
sqlmap -r filename.txt -D xxx -T xxx --columns
I got the columns too.
This was enough to report but After this, I also tried performing Union Based SQL injection because of my excitement
I used payload :
I got the version
I also tried Time Based SQL injection by using the payload:
I hope you find it informative. Peace!