Story of a SQL injection vulnerability

Little about me

I am just a corrupted teen kid trying to dig into infosec community. While, I don’t wanna reveal my identity. Thank’s for understanding me

About the target

It was just an ISP website, with bunch of cool functionalities. They don’t have bug bounty program (BTW). As, I care about their privacy we will talk that the website is target.com

About SQL Injection

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

Story

Back on october 2020, I got know about SQL injection vulnerability. SO, I thought to test it on Private(target.com) website. Even, at that time I didn’t knew shit about bug hunting things, I only know that SQL injection is cool(LOL). So, I used google dork to find an interesting endpoint(Sorry, I can’t disclose the link) & I tried adding ‘ & “” on the end points to get what I actually want, & guess what I got an error saying this

The things that I was searching for

SO, after I found this cool bug. I thought to report it to them, But I didn’t know how to actually report it. SO, I asked to cool nepali hacker on how can I report this bug. He said ‘They, Don’t have bug bounty program” but still report it via facebook. SO, I reported it to them via facebook & They replied saying “we will concern this to our team”.

Reply from them

Reward

I didn’t got any bounty, but as this was a valid bug they made my internet free for 1 month(as I am a that ISP user).

That’s all. Keep hacking.