Found SQL Injection Vulnerability on Government Organization Website!
Last night before going to sleep i make a quick search on google a dork to find vulnerable websites and found some interesting result and from one of those website i found the SQL injection vulnerability & successfully able to exploit and retrieve sensitive information from the MySQL db.
Here are all the tools i used to find & exploit the SQLi Vulnerability:
Google Dork, Burpsuite, Sqlmap
Lets discuss in details, On google search engine i search a dork :
_news/news.php?id=
i found some interesting results, From one of those search results i found a website, I can not disclose the original website URL. Lets call it example.org, on that website i found a interesting parameter which is vulnerable for for Sql injection.
For More Update You Can Connect With Me On Following Social Media Twitter | YouTube | Linkedin | Instagram | GitHub | Website
http://example.org/news.php?id=45'
Then i fire up Burpsuite on my Kali Machine and capture the request and save it in a req.txt text file.
If you don’t know how to get into Kali Linux & using Burpsuite you can follow this Video Playlist. To learn Web Application Penetration Testing For Free Follow my YouTube Channel.
Now, It’s time to run sqlmap SQL injection tool with the request file for automatic sql injection attacks. As expected dump all the databases and sensitive information like admin,users, email, md5 hash password.
Sqlmap Exploitation & Commands :
sqlmap -r req.txt -dbs
sqlmap -r req.txt -D db_name — tables
sqlmap -r req.txt -D db_name -T table_name — columns
sqlmap -r req.txt -D db_name -T table_name -C column_name — dump
That’s how i found high severity SQL injection vulnerability on a Government Organization website.
