Hello hunters! hope you are safe and doing well in this pandemic situation.
This write up is all about a bug i recently found in an bounty program lets call it as redacted.com- because the program does not allow public disclosure.
let’s dive in!
i started testing the redacted.com for XSS vulnerabilities i tried to bypass the waf to trigger an alert and also tried with blind XSS but of no use.
then i thought why not use emoji as payload to check the response i tried the emoji XSS payload from here: hackerone , but no luck it is escaping all the data.
so i tried only the emoji character to see how the site is going to respond.
BOOM! it worked and started throwing the error messages with sql code used by the application.
Steps to reproduce:
- visit: https://redacted.com/profile_update.
- in the input field below give 😯.
- click on save and done.
- you will get the error disclosing the sql code as shown in the below screenshot.
- when you get stuck take a step back and start over again.
- Think out of the box, understand the application and how it handles your input.
- sometimes you can also use the ancient symbols or characters as payload.
Bounty 🤑: $$$ awarded
i have tried for sql injection along with time-based, it didn’t worked. if you have any ideas that you can increase more impact to this i would love to hear them, please comment below.
if you feel the write-up useful give me a clap.
if you have any questions reach out to me cyb3r_4ss4s1n
Stay Home Stay Safe.