Security researcher Josip Franjković discovered four SQL injection vulnerabilities across Nokia domains between April-July 2013, exploiting blind SQL injection in INSERT queries via User-Agent headers and time-based attacks on legacy PHP sites, earning a Nokia Lumia 820 and Top Reporter status.
A blind time-based SQL injection vulnerability was discovered in a file upload feature where the application stored the filename parameter in a database without proper sanitization. The vulnerability was confirmed by bypassing a Cloudflare WAF configuration issue and using SQL sleep payloads to measure response time differences.
A researcher discovered a SQL injection vulnerability in an API endpoint of a European search engine and extracted database contents using sqlmap, earning a €5,000 bounty. The vulnerability was located in api.xxx.com's /api/trend/get endpoint which was vulnerable to time-based SQL injection via the locale parameter.
A Time-Based SQL Injection vulnerability discovered in a forget password function of an ASP.NET application, exploited through single-quote escaping to break the SQL query and WAITFOR DELAY statements to exfiltrate database information using SQLMap automation.