My first Critical on hackerone with a $6,400 bounty — SQL Injection
Hello everyone, introduce my name is Tengku Arya Saputra(Follow my Linkedin) on this occasion I will tell you how I found a security hole with a very critical vulnerability level on one of the bug bounty platforms HackerOne.
in the bug bounty program owned by a security company ****, I found it on the cloud subdomain, which is the most important domain on the company’s website, with which I was rewarded $6,400 by *****.
The first step I did was try to visit the link https://cloud.****/ after that because I did not have access to login I would register on the SignUp page.
The next step I registered by registering my email address [username]@wearehackerone.com
After successful registration I was directed to fill in the information as shown below
after completing the filling, I pressed the next button and saw the data recorded from burpsuite.
I am interested in the endpoint https://cloud.****/****/****/****/dnt?level=standard®ion=gcp-us-central1 after that I tried to connect it with the repeater menu on brupsuite, in the picture below it can be seen when I send a request to the server it looks normal
but the response changes when I give a single quote on the region paramater will display the server response which is 500 internal server error, can be seen in the image below
Here I use the SQLmap automated tool to make it easier to bypass the server information dmns back-end DBMS: ****.
Impact
An attacker can manipulate the SQL statements that are sent to the PostgreSQL database and inject malicious SQL statements. The attacker is able to change the logic of SQL statements executed against the database.
Timeline
Report — July 26, 2023
Change To Triaged — July 27, 2023
Respond Staff **** — 1 Agust, 2023
Retesting a bonus — 2 Agust, 2023
Reward Bounty — 8 Agust, 2023
Resolved — 8 Agust, 2023
