Error-Based SQL Injection on a WordPress website and extract more than 150k user details

Description

First of all, this is my first write-up, so sorry for any mistakes. In this write-up, I will share with you how I get the data of more than 150k users from a WordPress website, and how I bypassed some of the errors that happen to me in this WordPress website.

Detect the vulnerability and fix the errors

Let’s called the website target.com

I see this page and as we know to detect SQL injection vulnerabilities we will use single-quote ‘, double-quote “, slash /, or hash # …etc

so I found this URL :

and I tried to detect the SQL error with the single-quote [‘]

but no error, nothing shown on the page ???

some people will leave the website and some other smart like me 😂 will go to open the page source [This happened to me more than one time so always try to check everything], so I go to the page source, and I found the following Error:

As I know if the injection after limit you can’t execute SQL Injection in this case, but in my case, the injection point is before the LIMIT so it is possible to execute SQL Injection

The first thing we will try to fix this error, I tried the following :

but no luck, I always got the following error:

this is the error [Unknown column p.1 in order clause]

the most beautiful thing in this error is shown some of the columns in the database, so we can fix this error by replacing the value of the parameter sort with any column related to [p], the error is shown 6 columns which are : UpvoteCount , DownvoteCount , CategoryId , AggregatorId , Status and Id , chose one of them :

no error is shown on the source-page, so I successfully fix the error [Unknown column p.1 in order clause] by replacing the value of the sort parameter with CategoryId which is a column in the database.

How does Error-Based work

A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information

How do you know you should use

You can use Error-Based query in the following errors you get :

Knowing the Database Version

Enter this query at the end of the URL:

In my case this will look like this :

The version of the database is :

Getting the database name

we can get the database name with this query:

increase the limit function to extract all the databases.

Example: limit 0,1 or limit 1,1 or limit 2,1 …etc

In my case this will look like this:

The database name is:

Getting the table names

We can get the table names with this query:

and this is in my case :

the first table name is :

First table wp_mail

as I mentioned above increase the limit function to get all the tables in the database, and yes I get more than 180 tables 😈

or you can get all the tables without using the limit function, just use the following query:

you need to increment the 1,150 to Ex. 20,150, 40,150 … etc

if thesubstring function didn't work, you can use substr or mid

One of the important tables is wp_users

so, let's get the columns of wp_users table.

Getting columns from wp_users table

we can get the columns with this query :

0x77705f7573657273 : wp_users in HEX.

and in my case:

Increment the limit to extract all columns…

or you can extract all columns without limit function as I mentioned above with substring, substr , or mid

Column names :

Extracting the data from columns

we can extract the data from columns with the following query:

or without limit function with the following query:

0x7e : ~ in HEX you can separate between them by using whatever you want.

prd2.wp_users: prd2 the database in my case which we extracted in the above with knowing the database name query, and wp_users the table we want to extract the data from it.

Let's do something faster and extract the data with Burp Intruder.

  • Intercept the request that contains the query of the data extractor with a burp suite.
  • send the request to Intruder.
  • We will use grep to extract the data we want, follow these steps:
  1. Go to option
  2. Go to Grep — Extract, then click add
  3. Click on the Refetch response button.
  4. Select the data that you want to fetch
  5. Click OK
  • We want to save the only data that we selected in the grep -extract step, after the attacks follow these steps

Here is the end of the story, and I can extract the data of more than 150k users, with a lot of valuable details, its an eCommerce website and you know what I mean.

what you learn from this simple write-up:

  • always try to view the page source
  • understand the error very well and don’t depend on the SQLMAP or any other tool for the first time.

Thanks

Bug bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store