Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click

This is one of interesting bugs which I found in bug bounty. This vulnerability is not a sql injection or IDOR, this is a improper input validation flaw

Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click
Hello Guys, I'm Merbin Russel, I'm a newbie in bug bounty But I wish to share my findings with this community. I found this bug on Dec 2019, It is a improper input validation type bug. I didn't exactly search for it, Unexpectedly I got this one.
Let's assume the site as zsite.xyz, At that site forum is available, a user has two profiles
  1. Account Profile
  2. Forum profile
Here, account profile is a private one and forum profile is publicly visible. While updating forum profile I got following POST request.

-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="fullName"

Merbin
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="countryId"

21
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="region"

Tamil Nadu
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="postcode"

5555
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="occupation"

Bug bounty
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="memberId"

99
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="oldLoginName"

Merbin8
-----------------------------184743557913069110541695459156
Content-Disposition: form-data; name="submitBtn"

   Update    
-----------------------------184743557913069110541695459156--



You can see, CountryId parameter at request, I tested for sql injection, But it is not vulnerable to sql injection , I tested with may payloads. After testing for sql injection, I forgot to remove # after CountryId parameter,
Now the request is like,

Content-Disposition: form-data; name="countryId"

21# 


You can notice memberId also present in request, So I thought to test for IDOR, I changed value of memberId parameter with memberId of my another account. Then I submitted the request, I saw that Name and Country details of my 2nd account had been changed.
I repeated the same request and changed values of region and postcode parameters then submitted the request with memberId of 2nd account.

But region and postcode details had not changed, I know if it was a IDOR, I was able to change region and postcode parameters also, So I determined it was not an IDOR. Then I viewed some public profiles, I shocked..

Name and Country id of every profiles at that site had been changed with the name an country submitted by me, Then I noticed the # symbol after CountryID. I removed it then submitted request with another name and country values, But this time Name and Country details of any account wasn't changed.

I reported at Hackerone, I explained them about it. They understood.
After long time, I tried to understand back end process of the bug, If my understanding is right, following process might be happened at back end.
When we submit or update our data, data are stored in database,

The sql query looks like,

UPDATE tablename SET column1 = 'data', column2= 'data2' WHERE data3 = 1;


In this case,  sql query will look like,

 UPDATE forum_profile SET name ="Merbin",country =22, region="Tamil Nadu", postcode ="5555" WHERE id=50


Here countryID is a numerical value, so there is no need for single or double quotation.

When I put # after CountryID, The request will looks like,

 UPDATE forum_profile SET name ="Merbin",country =22#, region="Tamil Nadu", postcode ="5555" WHERE id=50


# is used as comment in SQL,

So, query after # is neglected, Where statement is also neglected because it comes after #

Now request is,

  UPDATE forum_profile SET name ="Merbin",country =22


I had doubt, will a sql query work without where statement.

I searched in google, I got following answer.



In query, the part " WHERE id=50" is used to update values on my account, due to adding # after Countryid WHERE statement and other values such as post-code, region are removed, that's why I couldn't change any other values.

If you have any comments or feedback, please post below,
You can follow me at twitter
Thanks for reading

What's Your Reaction?

like
15
dislike
2
love
7
funny
2
angry
1
sad
1
wow
5