Power of Manual SQL Injection and Python

Hello there! , Hope you are doing great and learning loads of stuff from the community like I am.

This article is about how i was able to find an SQL injection Vulnerability in a Social Website and how i was able to exploit it using python. If you don’t know about SQL Injection or Python, i will suggest to visit the following links.

SQL Injection

Python Programming Language

As everyone know, a vulnerability cannot be found directly. You have to waste lots of time and energy on searching, i did the same. I opened up BurpSuite (Favorite tool of every web pentester) and was testing every input and result in that platform i was facing. As i was going through menus, i saw an option Invite Friends.

Invite Friends Option

By entering to that page, i saw some bunch of options but none of them was working because of broken authentications or whatever. Clicking on the last option, prompt me to a new page which had a textarea for inserting multiple emails.

textarea for email address

As usual, first i typed some email addresses, check the response in JSON format.



Now it was time to test for vulnerabilities, so i tried to insert a single quote (just like how we test for a simple SQL Injection) and it returned a 403 Forbidden Error. Just by inserting “ — — + — ” in the last, the error fixed and return some bunch of image urls in the response, but the name of one them was empty (of course the one containing quote)


lets skip the finding Tables and Columns Stage. After finding the 4th (last) column vulnerable, i tried to check the format that how it gives the SQL Injection result. so for that i tried simple version() query and responded with the same response but little change. Instead of image name (or blank) in the end of one image Link, it respond with version just like this.

-test1@gmail.com’ union select 1,2,3,version() — — + —


i don’t know how to exploit it by SQLMap for minimizing the waste of time and for clear reading of the response, so i tried to exploit it by making simple script using python that sends request in JSON format, decode the response, split and format it. There i was able to find many important information about users and admins (of course it was their database).

Python Script use for extracting column names; columns.py

Python Script use for extracting table names; tables.py

Python Script use for dumping all data; dump.py

Python GUI Script for Final Exploit; finalExploit.py


That company has no Bug Bounty Program. They give me permission to test the site after sending them a simple XSS vulnerability.

The scripts above are not working now, because it is patched and i removed the site name.

Tools don’t make Hackers, Hackers make Tools.

Manual Finding is better than everything.



Just a Newbie with some Random Penetrating and Programming Skills. https://ijazurrahim.com/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store