Bug Bounty: Story of a Not Applicable SQL Injection worth 15,000$
Note: I will not mention the companies, for reasons of privacy and confidentiality.
What is SQL Injection?
A SQL Injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
How i found the Bug:
As a first step, I fuzzed some parameters and noticed that only one parameter gave me a message such as: “Query error” but this does not mean that SQL Injection is exploitable. It may well be that it is not there. Or the programmer has decided not to give me the error back, and make it blind and therefore extremely more complex to exploit. So I tested the parameter using sqlmap.
Excellent! I found the bug, good. Due to the policies of each platform, it is strictly forbidden to enumerate databases. And so the databases, respecting the rules, were not enumerated by me. So I decided to make the report. And as you can see the databases are 9! And i have the back-end DBMS too.
Bug N/A to none:
As a first response, I received this: Not Applicable….
And they said me: “This is not a security threat! You need to enumerate databases with table and COLUMN” . What? Databases? But wasn’t it forbidden by rules and policy? Ok after their reply, without using sqlmap again, I try to enumerate the boolean-based blind manually. But wait, I didn’t get an answer of any kind. And I thought well to reuse sqlmap. But do you know what happened? The bug had been fixed, and I had politely asked not to fix it. So the question of enumerating the database was simply a joke, because by the time they had replied, the bug had already been fixed. So what do I do now? The first thing that came to my mind was to tell them that they had an unethical attitude on their part. And that I will point this out. “Who wouldn’t respond badly when you see $15k go by in front of your eyes?” So I decided to ask for a mediator, do you know the mediator’s answer? “You answered wrong, so you don’t get paid.” Can you believe I laughed for two days? I had tears in my eyes. This is really funny, besides that it was a joke. Even if I answered well, they still didn’t want to pay me. “$15K to this stranger?” Nah.
Final of the story:
What can I say? I lost $15,000 and the bug has been fixed. I got $0. Plus they told me that if I continue they will block my account. I am really disappointed and very sad about this. I was 100% ethical. The first unethical people are them. Obviously, I will not continue to do bug bounty for now. I have never felt so cheated in my life.
I feel really sad. Especially from a world that is supposed to be ethical. Unfortunately it’s the known people who pay the most. We newcomers are nothing.
In any case, I have read the rules to myself, they are made in such a way, that if you don’t get paid, you can’t do anything. Everyone who has studied the rules has studied them well.