How I Hacked the Dutch Government with SQLi and Won the Famous T-Shirt?

Hello, those who are at the computer day and night. While reading hacking posts on Medium, I saw someone win this t-shirt. And so I started researching to win this t-shirt. From here, I set myself a target site. And I started testing the site. I came across a search function with filters.

Example Request

Then I started checking the filters for SQLi. I changed the GET request to POST. And the “query” parameter not in the photo was vulnerable to SQLi attack.

For ethical reasons, I didn’t want to see the all database.

Payload;

‘%2b(select*from(select(sleep(20)))a)%2b’

I then reported this vulnerability to the NCSC-NL side and won this famous t-shirt. xD

Thanks for reading. And good luck. (: