From now on, I’m going to publish some of my findings. In 2014 I found Blind SQL injection at hootsuite subdomain https://learn.hootsuite.com.

Blind SQL Injection : Is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. >This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When I signed up for a new account, and started to explore the site, I noticed that the users’ photos were connected to a PHP file to show as profile image.

I copied the link and opened it.

https://learn.hootsuite.com/view_profile_image.php?id=8807
it loaded I was able to see it clearly.

Here’s where the magic happened:

https://learn.hootsuite.com/view_profile_image.php?id=8807’

the page was blank, it looked like SQLi, so I had done many tests to find out if that’s a blind SQL injection. for example, you can do simple test :

OK !!

Nothing appeared !



I didn’t have that much experience in SQLi at that time, so I used SQLMAP to detect if it’s blind or not.

SQLI

Type: boolean-based blind
Database :hootsuite_u_v2

And, I was right.

I prepared a full report and sent it with all the information and details.

I got the following reply:

SQLI

I was surprised that their security team had no idea what SQL injection is! So, I sent them the file, parameter, payload, and type. After months of many messages and replies, they fixed the SQLi and block me, I think! Maybe, because they told me that they’ll see if they can add me to their hall of fame, but I waited and nothing happened, so, I tried to contact them but I got no reply… So I gave up on them and left .

Sometimes, people drive you do the bad thing, like leaking the DB! There were around 10k users or 100k, I’m not quite sure, I can’t remember. And that’s all about it!

Thank you for reading.