How I made $2000 with URL REDIRECTION?

Hi this is Simran Singh (cybrr_warrior_official). This is my first bug bounty write-up. And in this article I’m going to tell you how I got 2000$ SQLi vulnerability in a private program.

I’m not going to reveal the name of the program. Because this can go against Program rules and policies.

Let’s say domain: example.com

So, at first I did testing as a normal test we usually do. I start doing nmap ports scanning, sub domain enumeration, directory listing, etc. etc. And I got some sub domains but got nothing like juicy stuff like things.

And at that time I thought its a wastage of time let’s think in a criminal way. And then a tool Arjun hits in my mind and I started discovering some parameters.

After that I got some SQLi vulnerable parameters on a sub domain, so let’s say

sub.example.com

And the whole URI string looks like this

https://sub.example.com/@someone’s_name/blog?pageid=143

After that I start performing some SQLi attempt using some payloads.

And saw there responses in burp suite but all the payloads are getting filtered. At time I am loosing my hope and shutdown my PC and Then i went to sleep.

But next day I again start gathering some more Information ab the target and I reviewed the program policy, and I saw there is URL Redirection is out of scope. But we are Security Researcher’s alway try to make things complex to easier. And then an Idea pop’s up in my mind let’s take a look towards redirect URL if there is any…..

And I found something like this:

https://www.example.com/subscribe?r=https://sub.example.com/subscribe_to_newsletter/

And the sub domain in the destination URL endpoint is the same Sub domain on which I Tested SQL injections.

I’m excited ☺ now.

Let’s try whole the SQLi tests with URL Redirections.

And I started with Database check, then Table and columns. You know what happened next.

BANG BANG!

I made a POC video, take some screenshots, and reported to the program on 2nd August 2020.

And on 11th August 2020 I checked my inbox an e-mail was there unreaded.

And all this happened because some people don’t know a domain name is also known as root domain

KYA BAAT HAI ….

KYA CHEEZ HAI PAISA….

$$$$$$$$$$$$$$$$$$$$$$$$$$$

Wanna tell you something:

Always try to thing in unique way, I know the basic XSS, RCE etc. The basic vulnerabilities is over but do not ever loose hope. Might be there is something on which other people’s not paying attention.

Sorry about the bad English.

I’m not good enough in English 😅😅😅…….

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store