SQL Injection attack on Email ID field

Hi, I’m Sumeet Sunil Mahadik, a security engineer. I’m passionate about Hacking and Cyber Security. I strive to help people and organizations stay safe online.

I started this blog to share my knowledge and experience with others. In this blog, I’ll be writing about how I was able to perform an SQL Injection attack on the Email ID field.

While testing a target website, I noticed that the website offers a subscribe feature with an email ID field. By filling in the email ID field, users have the option to subscribe and receive regular updates directly to their inboxes.
Seeing an input field I assumed that it might store the email address somewhere in the back-end database. So there was a possibility of SQL Injection, I entered my email address and to verify this I captured the request into the Burp and sent it to the repeater. (Find below request)

…
Request:
GET /ajaxsendnewsupdate.aspx?txtNewsUpdates=”email-id” HTTP/2
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
…

Here, I removed the email address from the email ID parameter, replaced it with a single quote ( ‘ ), and sent the request. (Find below request)

…
Request:
GET /ajaxsendnewsupdate.aspx?txtNewsUpdates=” ‘ “ HTTP/2
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
…

Now, in response, I got a “ 500 Internal Server Error “ which stated a database error “ ORA — 01756: quoted string not properly terminated “ which confirms SQL Injection possibility.

Further to exploit the vulnerability, I used the sqlmap tool in which I ran a command:
“ sqlmap — url https://target.com/ajaxsendnewsupdate.aspx?txtNewsUpdates=”email-id” — dbs “

By which I was able to identify the type of database and names of available databases.

This is how I was able to find SQL Injection vulnerability.

Thank you for reading this blog.
Hope you found this interesting and informative.

HAPPY HACKING !!