How I found a critical P1 bug in 5 minutes using a cellphone — Bug Bounty

Hello Hackers, I’m MrEmpy, I’m 16 years old and welcome to my first story about a critical bug I found on the phone.

Let’s start, I had received a private invitation from a Bug Bounty program, so I accepted the invitation and went to see the assets that were in scope, I started searching for login forms using Google Dork, I used a simple dork.

site:*.target.com intext:login

I was having coffee at work with my cell phone and I took the short time to look for something, I didn’t intend to stay long, and then I found a subdomain that caught my attention. I started testing time based SQL injection, I used the following payload:

admin’ and (select * from(select(sleep(40)))SQLI) and ‘abc’ = ‘abc

Luckily for me, the server only returned a response after 40 seconds. I quickly used the Kiwi Browser to capture the POST request for use in SQLMap.

It really was SQL Injection! I couldn’t believe I got my first P1 CRITICAL failure in less than 5 MINUTES and still on PHONE. You know that joy that makes you want to scream “YEEEEEEEEEEEESSSS” but I couldn’t because I was in a company at the afternoon coffee time.

As soon as I got home I grabbed my notebook and ran to report the failure.

Fortunately the fault was marked as triaged.

That was my story, I hope you enjoyed it, I will bring more Bug Bounty stories as time goes by, so follow me for more stories like this ;)

Thanks for reading my story,

- MrEmpy