π€΅ββοΈSQL Injection in Security Cleared Job Site
Error-Based SQL Injection in Security Cleared Job Site
Last updated
Error-Based SQL Injection in Security Cleared Job Site
Last updated
A few months back I was on a security cleared job site, one of the top two, and found an interesting endpoint when just using the site as normal. This was a PHP endpoint that when a semi-colon was entered had a very verbose error. How interesting...
Now looking at this we can see that it is surprisingly simple to inject into this query. In order to prove that this was a vulnerability before submitting it to the site maintainers I used the verbose errors to show the tables in the database and get a count on users to make sure it was the active database.
Here is a snippet of this:
Count of users:
Wow, over 320k users, all of whom are presumably security cleared professionals. This was a huge security risk and I immediately reached out to the website administrators with my findings. It took a few weeks but eventually got in contact and they remediated the issue.
The main impact from this was the exposure of all these security cleared professional's personal and job information, resumes, messages between employers and recruits, internal employer messages and notes on applicants, API keys, password hashes for each user, admin user passwords, and much more. Thankfully this has been patched and won't fall into the hands of any bad actors anytime soon.