Found SQL Injection Vulnerability on Government Organization Website!
Last night before going to sleep i make a quick search on google a dork to find vulnerable websites and found some interesting result and from one of those website i found the SQL injection vulnerability & successfully able to exploit and retrieve sensitive information from the MySQL db.
Here are all the tools i used to find & exploit the SQLi Vulnerability:
Google Dork, Burpsuite, Sqlmap
Lets discuss in details, On google search engine i search a dork :
i found some interesting results, From one of those search results i found a website, I can not disclose the original website URL. Lets call it example.org, on that website i found a interesting parameter which is vulnerable for for Sql injection.
Now, It’s time to run sqlmap SQL injection tool with the request file for automatic sql injection attacks. As expected dump all the databases and sensitive information like admin,users, email, md5 hash password.
Sqlmap Exploitation & Commands :
sqlmap -r req.txt -dbs
sqlmap -r req.txt -D db_name — tables
sqlmap -r req.txt -D db_name -T table_name — columns
sqlmap -r req.txt -D db_name -T table_name -C column_name — dump
That’s how i found high severity SQL injection vulnerability on a Government Organization website.