Bug Bounty in Lockdown (SQLi and Business Logic)

Abhishek Abhishek

Jun 24, 2020

Bug Bounty in Lockdown (SQLi and Business Logic)

This blog was originally published here by Abhishek

I hope you all are doing well in this lockdown. I kinda have a hard time concentrating on bug bounty for now cause of staying home all the time. Usually I go play football once a week but since the lockdown cant go out no more. I still managed to find few bugs during this time. Found a few XSS and 2FA bypass. But for now ill share just the 2 bugs that I found.


So the first bug I found was SQLi which was quite an easy find. The company has a public VDP but since I reported many bugs to them they asked me to look at a completely different website that they own.

And of course I have taken permission from them before publishing the blog. With the help of wappalyzer found out that the website runs on PHP and so I used a simple google dork site:redacted.com inurl:id= and just found 1 url.

I added ’ at the end of id=1 and it gave me a MySQL error.

This itself tells us that there is SQL injection. I injected sleep command and it worked which confirmed the vulnerability.

This is enough for POC, reported it and the team fixed it pretty quickly.

• • •

Now the second bug was a business logic issue. The website is about creating projects or a presentation and sharing them with others. Users can create a free account but can only create 1 project. Creating multiple projects requires you to upgrade your account.

When clicked on New Project it would redirect me to the payment page. So I thought of bypassing it, tried using Turbo Intruder to send the request of creating project multiple times but it gave me errors so I thought of trying it on the app version from Playstore. When browsing the app I discovered that you can create multiple projects in it without any restrictions and I was like.

There was an add button in the app which let me create as much projects as I want.

And the changes reflected on the website as well.

And just like that I bypassed it. The app was really old and haven’t been updated for years.

Always look at the app of the website if it has. Sometimes developers forget about the app and functionalities are never updated. The team were also kind enough to give bounty instead of coupons.

Hope you learned something from this.

Follow me on X — https://x.com/abhishekY495

Thank You.

To add your blog, send an email to [email protected]

Recommended Blogs

Bypassing Captcha !

Bypassing Captcha !

Abhishek

Dec 20, 2019

Business Logic Errors - A Logic Destruction

Business Logic Errors - A Logic Destruction

Jerry Shah

Oct 16, 2021

Programs to Hack

Monosnap

Monosnap

Monosnap screenshot tool for Mac and PC with own cloud storage. Take screenshots, record videos and upload files directly to the cloud.

Web2

Bounty

$25 - $400

AdsPower

AdsPower

Create real browser fingerprints with over 20+ customizable parameters and manage all your accounts more easily than ever.

Web2Desktop

Bounty

$25 - $750