3

So I was bored and decided to get into some bug bounty hunting. I went on a website that has a bug bounty program and this website is for downloading apps. I went to the enter a gift card code field and targeted it in Intruder in Burp Suite. Loaded up a list of payloads containing common SQL Injection strings and the 5th line had an interesting response.

"This will update the balance for xxxxx"

Kind of surprised it worked I copied the string and entered it in manually into the field on the website and got the response in my browser. Sure enough I got the same prompt and when I clicked "Update Balance" it said it was an incorrect code.

The SQL Injection string: PHPX+AND+1=1+AND+XX=X

How can this be exploited with the given information? Can it be exploited at all or is this just a logical error?

Any info or advice would be much appreciated.

PortSwigger
  • 487
  • 2
  • 7
Edward Severinsen
  • 189
  • 6
  • Which site is it ? – C0deDaedalus Jun 02 '18 at 04:16
  • 2
    @C0deDaedalus Unfortunately if this really is a bug I don't want to publicly out a website that may have a potentially very serious vulnerability. – Edward Severinsen Jun 02 '18 at 04:31
  • 1
    We need more details to help you, we don't know whether you received an error from the application or if it actually updated the balance. You should add the request and the server response. You may want to obfuscate or hide those parts that may reveal the application you're attacking – Mr. E Jun 04 '18 at 21:07

0 Answers0