Hi this is Simran Singh (cybrr_warrior_official). This is my first bug bounty write-up. And in this article I’m going to tell you how I got 2000$ SQLi vulnerability in a private program.
I’m not going to reveal the name of the program. Because this can go against Program rules and policies.
Let’s say domain: example.com
So, at first I did testing as a normal test we usually do. I start doing nmap ports scanning, sub domain enumeration, directory listing, etc. etc. And I got some sub domains but got nothing like juicy stuff like things.
And at that time I thought its a wastage of time let’s think in a criminal way. And then a tool Arjun hits in my mind and I started discovering some parameters.
After that I got some SQLi vulnerable parameters on a sub domain, so let’s say
And the whole URI string looks like this
After that I start performing some SQLi attempt using some payloads.
And saw there responses in burp suite but all the payloads are getting filtered. At time I am loosing my hope and shutdown my PC and Then i went to sleep.
But next day I again start gathering some more Information ab the target and I reviewed the program policy, and I saw there is URL Redirection is out of scope. But we are Security Researcher’s alway try to make things complex to easier. And then an Idea pop’s up in my mind let’s take a look towards redirect URL if there is any…..
And I found something like this:
And the sub domain in the destination URL endpoint is the same Sub domain on which I Tested SQL injections.
I’m excited ☺ now.
Let’s try whole the SQLi tests with URL Redirections.
And I started with Database check, then Table and columns. You know what happened next.
I made a POC video, take some screenshots, and reported to the program on 2nd August 2020.
And on 11th August 2020 I checked my inbox an e-mail was there unreaded.
And all this happened because some people don’t know a domain name is also known as root domain
KYA BAAT HAI ….
KYA CHEEZ HAI PAISA….
Wanna tell you something:
Always try to thing in unique way, I know the basic XSS, RCE etc. The basic vulnerabilities is over but do not ever loose hope. Might be there is something on which other people’s not paying attention.
Sorry about the bad English.
I’m not good enough in English 😅😅😅…….