So...Today I found an SQLI (sql injection , google if you're not aware) in one of our products , I start exploring it , I get my trusty Kali on me workstation . sqlmap etc. Tell my manager it's a true positive... I start exploring the db , half the devs at my manager's place start staring at his screen as I proper fuck a QA db server... I hear a qa guy mention triangulation as sqlmap dumps a uid table in his face . I hear my manager's manager saying 'this has been in our app for so long and we found it just now ? Who found it ?' *manager proudly saying me name* 'He's still working this late ?' ...apparently now my trip to england is getting covered for both me and me gf by the company...

I'm seeing people defending clearly-injectable code and I'm just stunned.

And this person in particular is supposed to be responsible (at least partially) for finding security flaws.

I don't know what to say.

Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.

Forgive me father, for I have sinned.  Alot actually, but I'm here for technical sins.  Okay, a particular series of technical sins.  Sit your ass back down padre, you signed up for this shit.  Where was I?  Right, it has been 11429 days since my last confession.  May this serve as equal parts rant, confession, and record for the poor SOB who comes after me.

Ended up in a job where everything was done manually or controlled by rickety Access "apps".  Many manhours were wasted on sitting and waiting for the main system to spit out a query download so it could be parsed by hand or loaded into one of the aforementioned apps that had a nasty habit of locking up the aged hardware that we were allowed.  Updates to the system were done through and awful utility that tended to cut out silently, fail loudly and randomly, or post data horrifically wrong.

Fuck that noise.  Floated the idea of automating downloads and uploads to bossman.  This is where I learned that the main system had no SQL socket by default, but the vendor managing the system could provide one for an obscene amount of money.  There was no buy in from above, not worth the price.

Automated it anyway.  Main system had a free form entry field, ostensibly for handwriting SELECT queries.  Using Python, AutoHotkey, and glorified copy-pasting, it worked after a fashion.  Showed the time saved by not having to do downloads manually.  Got us the buy in we needed, bigwigs get negotiating with the vendor, told to start developing something based on some docs from the vendor.  Keep the hacky solution running as team loves not having to waste time on downloads.

Found SQLi vulnerability in the above free form query system, brought it up to bossman to bring up the chain.  Vulnerability still there months later.  Test using it for automated updates.  Works and is magnitudes more stable than update utility.  Bring it up again and show the time we can save exploiting it.  Decision made to use it while it exists, saves more time.  Team happier, able to actual develop solutions uninterrupted now.  Using Python, AutoHotkey, glorified copy-pasting, and SQLi in the course of day to day business critical work.  Ugliest hacky thing I've ever caused to exist.

Flash forward 6 years.  Automation system now in heavy use acrossed two companies.  Handles all automatic downloads for several departments, 1 million+ discrete updates daily with alot of room for expansion, stuff runs 24/7 on schedule, most former Access apps now gone and written sanely and managed by the automation system.  Its on real hardware with real databases and security behind it.

It is still using AutoHotkey, copy-paste, and SQLi to interface with the main system.  There never was and never will be a SQL socket.  Keep this hellbeast I've spawned chugging along.

I've pointed out how many ways this can all go pearshaped.  I've pointed out that one day the vendor will get their shit together they'll come in post system update and nothing will work anymore.  I've pointed out the danger in continuing to use the system with such a glaring SQLi vulnerability.

Noone cares.  Won't be my problem soon enough.

In no particular order:
Fuck management for not fighting for a good system interface
Fuck the vendor for A) not having a SQL socket and B) leaving the SQLi vulnerability there this long
Fuck me for bringing this thing into existence

Hello again, everyone. I've been busy with all the paperwork at my ship (will make a post about it later) but for now, I'll bore you with another story (not navy one, fortunately) to justify my slacking off.
And this story... is the story on how I got into ITSec. And it is pretty damn embarrassing. It all began when I was 16. I was hooked on battleknight.gameforge.com, a browser game. My father had just had ADSL installed at our home, and the new opportunities before me were endless. Well...
After I've had my fill with the porn torrents and them opportunities dwindled to just a few dozens, I began searching for free games, and I stumbled on that game. I played a lot, but as a free-to-play game, it was also pay-to-win. I didn't have a credit card, so I paid for a few gems with SMS messages. Fast forward a couple of years, I got into the Naval Academy. A guy came in to advertise something (I think it was an encyclopaedia or something - yes, wikipedia wasn't a thing back then) and to pay for it, we could apply for a credit card. So I applied. And I resisted the temptation for a year.
Note: prepaid wasn't that known where I live, so using credit cards was the only way for online transactions.
So I made 1 transaction. Just one. After a couple of months my monthly report from the bank came, showing a 2.5$ (I think) transaction on Paypal. I paid no mind, thinking that it was some hidden fee. Oh boy, I shit you not, I was THAT much of an idiot. Six months later, BOOM!
600$ transaction to ebay via paypal. You can imagine all those nice things that came to my mind. In any case, the bank accepted my protest that I filed at their central offices and cancelled the transaction. I promptly cancelled my card, destroyed it right there for good measure, and got to thinking... what the fuck just happened?
As many people here, I am afflicted with a deadly virus, called curiosity. I started researching the matter, trying to figure out how. And, because I didn't like black boxes and "it is just like it is" explanations, I tumbled down the rabbit hole of ITSec. I soon found out that, not only it was possible, but also it was sometimes EXTREMELY easy to steal credit card info. There are sites, to this very day, that store user info (along with credit cards info) IN FUCKING CLEARTEXT. Sometimes your personal, financial and even medical info are just an SQLi away.
So, I got very disillusioned on many things. But I never regretted it. It may cause me to age prematurely and will kill me of stroke or heart attack one day, but as I still tumble down the ITSec rabbit hole, I can say with confidence that
I REGRET NOTHING
Plus, my 600$ were returned, so look on the bright side :)

Just found an admin portal online. There was a modal asking for password, but in background the portal was visible. ctrl + shift + i and then closed the modal.

Voila, the whole portal and actions are accessible. Seriously, who develops things like these?

I am pretty sure it's vulnerable to sqli and xss too.

Some of the penguin's finest insults (Some are by me, some are by others):

Disclaimer: We all make mistakes and I typically don't give people that kind of treatment, but sometimes, when someone is really thick, arrogant or just plain stupid, the aid of the verbal sledgehammer is neccessary.

"Yeah, you do that. And once you fucked it up, you'll go get me a coffee while I fix your shit again."

"Don't add me on Facebook or anything... Because if any of your shitty code is leaked, ever, I want to be able to plausibly deny knowing you instead of doing Seppuku."

"Yep, and that's the point where some dumbass script kiddie will come, see your fuckup and turn your nice little shop into a less nice but probably rather popular porn/phishing/malware source. I'll keep some of it for you if it's good."

"I really love working with professionals. But what the fuck are YOU doing here?"

"I have NO idea what your code intended to do - but that's the first time I saw RCE and SQLi in the same piece of SHIT! Thanks for saving me the hassle."

"If you think XSS is a feature, maybe you should be cleaning our shitter instead of writing our code?"

"Dude, do I look like I have blue hair, overweight and a tumblr account? If you want someone who'd rather lie to your face than insult you, go see HR or the catholics or something."

"The only reason for me NOT to support you getting fired would be if I was getting paid per bug found!"

"Go fdisk yourself!"

"You know, I doubt the one braincell you have can ping localhost and get a response." (That one's inspired by the BOFH).

"I say we move you to the blockchain. I'd volunteer to do the cutting." (A marketing dweeb suggested to move all our (confidential) customer data to the "blockchain").

"Look, I don't say you suck as a developer, but if you were this competent as a gardener, I'd be the first one to give you a hedgetrimmer and some space and just let evolution do its thing."

"Yeah, go fetch me a unicorn while you're chasing pink elephants."

"Can you please get as high as you were when this time estimate come up? I'd love to see you overdose."

"Fuck you all, I'm a creationist from now on. This guy's so dumb, there's literally no explanation how he could evolve. Sorry Darwin."

"You know, just ignore the bloodstain that I'll put on the wall by banging my head against it once you're gone."

An adult cam website I worked on as freelancer had/has this code everywhere:
$user = $_POST['usr'];
$pass = $_POST['pwd'];
$row = $db->query ("SELECT * FROM users where username='".$user."' AND password='".$pass."' COUNT 1);

I was hired to add new features and was touch any other parts of the code. When my job was done, I tried to fix those as a good samaritan but the client thought I was messing with the system or should be thing of new features to add. So I got fired.

5 years later, I check out of curiosity and they are still there. I ask him again if I can work on them for a little less pay(I'm broke) and he doesn't reply. What a douche. I hope his site receives a shot of SQLi from a customer.

> Young dev apprentice me pair programming with another developer
> Dude checks bug report of a customer, saying something about a "Blind SQL Injection"
> Young me asking what that "Blind" part means
> "Dunno man, maybe u gotta close your eyes when hacking this"

Guess what, the issue was never fixed

When I left school I decided to apply for a junior dev role. I received a call back later that day and they tried to sell me access to some course with the promise of a job afterwords. They gave me a website to visit to find more information.

I Googled the company and found that it was as I suspected a scam and that they had been praying on the jobless for sometime.

So, I played around on the site they told me to visit for a while and found a rather simple SQLI. I managed to pull the admin email/password (which they stored as plain text) the email address belonged to a Gmail account.

I tried the password for the Gmail account turns out the account belongs to the person running the scam. I find an email from the hosting account and you guessed it the password was the same.

I pulled the site down and replaced it with a picture of the person running the scam along with his name and the words "I'm a dirty scammer".

Then I sent all the info to the police (he'd been running a few others scams too) not sure what that lead to I didn't hear anything back.

Me and my developer friend worked with my ex-colleague with this fitness directory website because he promised to give us {{ thisAmount }} upon the {{ completionDate }}.

He was my friend and I trusted him.

It took me weeks of sleepless nights building the project. I had a full-time job that time, and I worked on the project during evenings. All went well, and as we reach the {{ completionDate }}, the demo site is already up and running.

A week before the {{ completionDate }}, he hired his new wife as the COO of the startup. It was cool, she keep noticing things on the site which shouldn't be there, and keeps on suggesting sections that has to be there. I was okay with it, until I realized that we are already a month late with the deadline.

Every single hour, I get a message from them like, "it's not working", "when can you finish this feature?", blah blah blah.. and so on.

I got frustrated.

"I want my fucking life back", I told them. No one cared about the {{ completionDate }}, the sleepless zombies they are working with and our payment. They keep on coming up with this "amazing" ass features, and now they are not paying because they said "it's not complete".

Idiot enough to trust a friend. I was unprotected, there was no legal-binding document that states their obligation to pay.

My dev friend and I handed over the project to this web development company which they prefer, and kept a backdoor on the application.

I kind of moved on with the payment issue after a month. But without their knowledge, I kept an eye on the progress and made sure that I still have the access to their server, DNS, etc..

BUT when they announced the official launch on social media, I realized that I was on the wrong train the whole time.

They switched to a different server.

They thanked all the people involved with the project via social media, EXCEPT me and my coding partner who originally built the site from ground up. A little "thank you" note from them will make us feel a little better. But, never happened.

I checked up the site and it was rewritten from originally Laravel 5 to CodeIgniter 1. That is like shifting from a luxury yacht where you can bang some hot chicks, to a row boat where your left hand is holding the paddle whilst your right hand is wanking yourself.

I almost ran out of bullets.

Luckily, CodeIgniter 1 was prone to SQLi by default.

I was able to get the administrator password in plain text and fucked with their data. But that didn't make me feel better because other people's info are involved.

So, I looked for something else to screw with. What I found? A message with the credit card details.

Finally, a chance to do something good for humanity. I just donated a few thousand dollars to different charity websites.

Submit a request via URL /submit&approved=0: Committee rejects request.

Submit same request via URL /submit&approved=1: Committee asks who approved the request.

I have quite a few of these so I'm doing a series.
(2 of 3) Flexi Lexi

A backend developer was tired of building data for the templates. So he created a macro/filter for our in house template lexer. This filter allowed the web designers (didn't really call them frond end devs yet back then) could just at an SQL statement in the templates.

The macro had no safe argument parsing and the designers knew basic SQL but did not know about SQL Injection and used string concatination to insert all kinds of user and request data in the queries.
Two months after this novel feature was introduced we had SQL injections all over the place when some piece of input was missing but worse the whole product was riddled with SQLi vulnerabilities.

Nice one, Alex

Looking for bug bountry online and trying to find sqli bug.
I tried using sqlmap but no success.
Is it about WAF they're using or sqlmap is not complete ?
(I set the level and risk to highest possible)

Thanks
@ExGetMessage

Bug is not fixable

I get these as I have to submit security issues as bugs and then help whoever is in charge of the fixing find and implement a good solution. But apparently , nope . In some devs opinion , sqli issues are not fixable .

After finding SQLi on an internal application during its security review:

DB team: Well it's a remote database, so you're just seeing HTML...wait why do you see user accounts in that web field?