How i got easy $$$ for SQL Injection Bug

rafipiun.medium.com · kh4sh3i/bug-bounty-writeups · 20 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

A bug bounty writeup detailing discovery and exploitation of a Union-based SQL injection vulnerability in a user activation endpoint, achieved by parameter tampering and ORDER BY column enumeration to extract database information.

Tags
sql-injection bug-bounty union-based-sql-injection order-by-enumeration burpsuite parameter-tampering bragging-post
Entities
Rafi Andhika Galuh Burpsuite
How i got easy $$$ for SQL Injection Bug | by Rafi Andhika Galuh - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How i got easy $$$ for SQL Injection Bug S Rafi Andhika Galuh Follow ~3 min read · November 27, 2020 (Updated: December 16, 2021) · Free: Yes Hello guys, This is my first Write Up and i want to share about "How i got easy $$$ for SQL Injection Bug" Note : call the target as Redacted.com Tools : Burpsuite Proof of Concept : 1. Sign up for a new account 2. Follow the instruction, and then i got this page : 3. So i got the url like this : https://redacted.com/user/activation/xxx/1325589 1325589 is my user id. And the i try to add single quote ( ' ) to try if the website has SQL Injection or not. but it didn't :( 4. But if you see the page again, the page has the Button "Resend Activation Link" so now I turn on my intercept and click the Button. 5. I got the request and the response like this : The response is redirected me to : https://redacted.com/user/resendactivation/xxx/1325589/?smsg=green 6. So i try to modified the request with added a single quote like this : https://redacted.com/resend/activation/1325589' and this is the response : i got redirect to : https://redacted.com/signup_page/xxx 7. Now i try to edit the request and added --+- and the response like this : the response is turn into the default request so i can confirm maybe its a SQL Inejction :D 8. Now i try to edit the response and added "order+by+5" like this : The response is turn to False condition, so the column doesn't reach 5 9. Try "order+by+4" → Still False 10. Try "order+by+3" → True !!! :D so it meaning the column is till number 3 11. So now i try to "union select" like this : If you see the response i got redirect to : https://www.redacted.com/user/resendactivation/xxx/3/?smsg=green Yeah !!! I got the number 3. 12. Now try to inject a sql query on number 3, like this: BOOM !!! I got the user. 13. Now try to got the database name and the version, like this: Reward : $$$ That's it for this write up from me, i hope you enjoying it. And sorry for my bad English :( , See you again in the next story Follow me on : Linkedin Facebook Instagram and also Subscribe my Youtube Channel : Youtube #bug-bounty #bug-hunter #sql-injection #hackerone #cybersecurity Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories