How I Hacked the Dutch Government with SQLi and Won the Famous T-Shirt?

Hello, those who are at the computer day and night. While reading hacking posts on Medium, I saw someone win this t-shirt. And so I started researching to win this t-shirt. From here, I set myself a target site. And I started testing the site. I came across a search function with filters.

Example Request

Then I started checking the filters for SQLi. I changed the GET request to POST. And the “query” parameter not in the photo was vulnerable to SQLi attack.

For ethical reasons, I didn’t want to see the all database.

Payload;

‘%2b(select*from(select(sleep(20)))a)%2b’

I then reported this vulnerability to the NCSC-NL side and won this famous t-shirt. xD

Thanks for reading. And good luck. (:

--

--

--

https://twitter.com/g0ktugkaya

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

I got a data breach alert. What next?

Seed Phrase Phishing (Crypto Wallets)

Reading Club, Penetration Testing Cheat Sheet — Tentamen Software Testing Blog

What Is Phishing? A Brief Guide to Recognizing and Thwarting Phishing Attacks

InfoSecSherpa’s News Roundup for Saturday, January 22, 2022

Image by Sofia Iivarinen from Pixabay

Why are games good for cyber security?

TryHackMe — Watcher WalkThrough

CIS Risk Management Method (CIS RAM) overview

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Göktuğ Kaya

Göktuğ Kaya

https://twitter.com/g0ktugkaya

More from Medium

How I earned $9000 with Privilege escalations

My First Bug is P1 in Just 3 Minute

How I found a critical P1 bug in 5 minutes using a cellphone — Bug Bounty

Everything you need to know about clickjacking

Clickjacking