Finding My First Bug : SQL Injection and XSS just with Google Dork

Intro :

Hey Everyone this is my new Post on My First Bug Hunting on Live Website. Though this is not hosted on any Bug Bounty Platform But just doing manual Google Dork and Recon I found 2 bugs :SQL Injection and XSS on the Web-Site.

SQL Injection :

I just try using Google Dork on any ‘.com’ website to find Parameters only. I got many results but I particularly focus on this Web-Site below.

Here In the Product page I found an ‘id’ parameter is set to a Value. I just put a Quotation Mark just after the Value for checking how the Response is Working.

Note : Quotation Mark is URL Encoded in Picture.

And it gives me SQL Syntax Error.

It means the Parameter is Vulnerable to SQL Injection. So just doing it manually I try for a Tool called ‘sqlmap’.

Note : Here I try to Explore all Databases.

After sometime it gives me two Databases are present there.

I got many more things in that Databases but I am not showing here. That’s how I simply compromise that page.

XSS :

In the Product page I also found a ‘search’ functionality. I just put a simple XSS Payload there and it worked and Prompted me 1.

And I simply Exploited the XSS Vulnerability.

Then I Report those issues to their Team By Email and telling them necessary things about those Issues and Remediation.

And that’s it.

THANKS FOR READING!

Happy Hacking~