How 2 Cute Bugs offered me a reward of 650€

Hey amazing cyberfolks 😊 !!. This is me ani ! back with an interesting vulnerabilities I found ,for which I was awarded a bounty of 650€.

Okay now lets started !!!. That was a fine weekend saturday, I was lazy af and bored🥱 , I decided to start hunting to kick off my laziness😎 . I usually hunt on private programs i discover from google dorks since hackerone and bugcrowd is “crowded” sometimes. I don’t recommend you either to always hunt on these random dork programs as you may be disappointed with unresponsiveness many times :(

Anyways I went to this Github repo where it contains curated list of google dorks to discover program which offer responsible disclosure programs. I randomly picked one dork.

responsible disclosure bounty r=h:eu

I decided to choose an very old program so I traversed many pages and picked on random domain. Lets call it ““. “” was an online travel goods purchasing e commerce site. It had various functionalities , I registered an account and started to play around. I tested for login issues and authentication related bugs but unfortunately no luck :(

There was a search feature , i searched for testbro and I noticed my input was reflected in the webpage. I decided to break the “” and inject an XSS payload (like “<img src=xss onerror=alert(1)>) and when I hit search to my surprise payload got executed and I saw an pop 🤩.

I noticed an important thing whenever we click on any project the product ID was with an numerical number in the url like “”. Any idea struck on my mind why don’t we try for Sql Injection and decided to put an ‘ after like productId=21’. To my surprise i got an sql syntax error back from the server like the below

I was like WHATTTTT!!. Since I am an lazy ass hunter I decided to exploit this using SQLMAP tool (but I highly recommend trying out payload manually to understanding) . Okayy now back with the hunting.

I used the below command to dump all the databases present in the target:

 sqlmap -u --dbs

It dumped all the databases , next I several databases one of them caught my eye. I used that database name and dumped all the tables present using the below command:

sqlmap -u -D redacted --tables

It dumped all the tables, one of them caught my eye , it named “users”. I decided to dump that tables . I used the below command for that:

sqlmap -u -D redacted -T users --dump-all 

Wow, it dumped all the details and WHATT admin username and password were also among them

I got the admin username and password was of some sort of encoding. I used and figured out it was base64 and decoded it and got the password :)

Okay now that I have username and password. I need to find a way to login as admin. I decided to do directory brute force using gobuster tool , i got an endpoint like “”. So now you guys might have guessed what I must have done. I used those credentials and logged in as admin , YEA !!!

Now I made an detailed reported regarding the findings and submitted to security team. After 3 days , they decided to offer me a reward of 650€ for report.

Connect with me in linkedin(

That’s it for today folks. C you guys in another write up :). Peace



Anirudh Krishnakumar(a.k.a)0x_s3cur1ty_r3s34rch3r

Security Operations Engineer | Full Stack Developer | DevSecOps Engineer | OSINT Investigator | Enthusiastic about Machine Learning and Artificial Intelligence