how i found union based sql injection in hackerone public vdp program?

hi everyone , i am back with another writeup.

cybersecurity researcher

~3 min read · September 29, 2024 (Updated: September 29, 2024) · Free: Yes

today i will explain "how i found sql injection on hackerone vdp public program"

lets start,

at first ,consider the name of domain is example.com

like every hacker i was start recon of domain. using waybackurls,

githubrecon and googledorking.

but no use i did not found anything interesting,then start using domain like normal user under burp proxy.

after i opened the urls one by one and checking endpoints for any xss or sql.but nothing i was get.

then i start checking every url for sql with singe quote(').even no parameter on urls also checking. some point of time one url get response(500 status code).

"here simple using repeater tab, i was testing every url."

when i got 500 status, that url has no id parameter.its just url path

its looks like:

https://www.example.com/used-vehicles/examle--resale-BB005809R'

next we need to balance the query so i was add ' — -'

then final url after:

https://www.example.com/used-vehicles/example--resale-BB005809R' — -

after successfully balance the query ,next we need to find how many columns are there?. so we use order by,

https://www.example.com/used-vehicles/example--resale-BB005809R' order by 40 — -

here just change the number after order by ,when u got error response its not. when you got normal response ,its mean no error. yes its have the column ,check up to final column.

it has 40 columns.so next we need to find which columns is vulnerable.

for this we use union based method , usnig this method final url for after adding union :

https://www.example.com/used-vehicles/example--resale-BB005809R.%25' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40 — -

before explaining above url first we need to understand:

"By injecting id=-1, the attacker can ensure that no valid record is returned from the original query since -1 or other abnormal values usually do not exist in the id column of the database.

This makes the original query return zero rows, which is important because the UNION SELECT injection would fail if the original query returned results. The attacker wants to control the output completely"

here there is no id parameter to place '-' so '.%25' i was used here.

i think everyone got idea.why i used .%25. i hope,

then, finally enter that url on browser ,we get

response after union method i used

boom, column 2 is vulnerable for sql injection then i was replaced 2 with

database()
user()
version()

version

after these steps i reported to the program with these clear steps .they are accepted.

thank you for reading ,any quires related comment here . i will definitely answer your quires.

see you all on next week with another writeup.

#bug-bounty #bug-bounty-writeup #cybersecurity #cyber-security-awareness #ethical-hacking

how i found union based sql injection in hackerone public vdp program?

hi everyone , i am back with another writeup.

Reporting a Problem