From now on, I’m going to publish some of my findings. In 2014 I found Blind SQL injection at hootsuite subdomain
Blind SQL Injection : Is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. >This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When I signed up for a new account, and started to explore the site, I noticed that the users’ photos were connected to a PHP file to show as profile image.
I copied the link and opened it.
it loaded I was able to see it clearly.
Here’s where the magic happened:
the page was blank, it looked like SQLi, so I had done many tests to find out if that’s a blind SQL injection. for example, you can do simple test :
Nothing appeared !
I didn’t have that much experience in SQLi at that time, so I used SQLMAP to detect if it’s blind or not.
Type: boolean-based blind
And, I was right.
I prepared a full report and sent it with all the information and details.
I got the following reply:
I was surprised that their security team had no idea what SQL injection is! So, I sent them the file, parameter, payload, and type. After months of many messages and replies, they fixed the SQLi and block me, I think! Maybe, because they told me that they’ll see if they can add me to their hall of fame, but I waited and nothing happened, so, I tried to contact them but I got no reply… So I gave up on them and left .
Sometimes, people drive you do the bad thing, like leaking the DB! There were around 10k users or 100k, I’m not quite sure, I can’t remember. And that’s all about it!
Thank you for reading.