Posts

Showing posts from February, 2017

SQL injection in an UPDATE query - a bug bounty story!

Image
What's up whoever reading this! been a long time since I last posted something here. Today, I will be writing about a SQL injection vulnerability I recently found. As usual, at a hacking night after drinking my favorite cookie frappe I picked up a bug bounty program and started testing. Like any other researcher, I was throwing XSS payloads randomly everywhere. (I usually use '"><img src=x onerror=alert(2) x= with a single quote at the beginning) and while doing so one of the endpoints returned a 500 error saying A SQL error was encountered which definitely attracted my attention. The field returned that error was my `full name` so I went back there and immediately tried test'test which returned the same error which means that the single quote is what is causing the problem here. Realizing that, it seemed to me that single quotes weren't escaped at the SQL query, so I tried to escape it for them(by doubling it) and see what happens...