That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.


I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the web application. 

The second thought came to my mind was check for All SQL Injection so I gave the Web App the Automated SQL Scan.


After a full scan of web application all I found was 3 Unique Parameter with SQL Bug. But luckily 2 parameters were "Email" & "Password". After seeing them I got an idea for bypassing the Authentication via SQLi. So, know I was able to report two different types of bug.
1. Authentication Bypass via SQLi
2. Error Based SQL Injection.

Now comes the POC Part for both. Exploiting Error Based SQL Injection was easy, If you know how to perform the attack or alternative you can use modern day automated injection tools for creating POC. So I used SQLMap for creating POC for Error based SQL Injection.
   


Now, Creating POC for Authentication Bypass via SQLi...
1. I opened Admin Login Page.


2. Intercepting the Authentication Request Via Burp Suite.


3.  I started brute forcing with different SQLi payloads list goes like :
' or ' 1 ' = ' 1
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

& in the end payload : 'or' '='
wooooooooooo..... at last its worked for me.

So, Finally my both POC was created and successfully received some good amount Bug Bounty for my both Reports.

- Raghav