Found a SQL Injection Vulnerability on a Live Website

By /

Listen to this Post

As part of continuous learning in ethical hacking, a SQL Injection vulnerability was discovered on a real-world admin login panel.

Tested Payload:

' OR 1=1 --

Affected Endpoint: https://lnkd.in/guJZ2AMx

This payload bypassed authentication, demonstrating how improper input handling creates security risks. The issue was responsibly reported to the website owners.

You Should Know:

Preventing SQL Injection

1. Use Prepared Statements (Parameterized Queries)

  • PHP (PDO):
    $stmt = $pdo->prepare('SELECT  FROM users WHERE username = :username'); 
$stmt->execute(['username' => $input_username]);
  • Python (psycopg2):
    cursor.execute("SELECT  FROM users WHERE username = %s", (input_username,))

2. Input Validation & Sanitization

  • Bash (Regex Check):
    if [[ ! "$input" =~ ^[a-zA-Z0-9_]+$ ]]; then 
echo "Invalid input" 
fi

3. Stored Procedures

  • SQL Example:
    CREATE PROCEDURE GetUser(IN user_id INT) 
BEGIN 
SELECT  FROM users WHERE id = user_id; 
END

4. Least Privilege Database Access

  • MySQL Command:
    GRANT SELECT ON database.users TO 'webuser'@'localhost';

5. Web Application Firewall (WAF) Rules

  • ModSecurity Rule (Apache):
    SecRule ARGS "@detectSQLi" "id:1,deny,status:403"

Testing for SQL Injection

  • Manual Testing with cURL:
    curl -X POST "https://example.com/login" --data "username=admin' OR 1=1 --&password=123"
  • Automated Scanning with SQLmap:
    sqlmap -u "https://example.com/login?user=1" --risk=3 --level=5

Post-Exploitation Detection

  • Check Database Logs (MySQL):
    SELECT  FROM mysql.general_log WHERE argument LIKE '%OR 1=1%';

What Undercode Say

SQL Injection remains a critical threat due to poor coding practices. Ethical hackers must balance visibility and responsibility—demonstrating flaws without exposing live systems unnecessarily. Use secure coding practices, enforce strict input validation, and adopt defense-in-depth strategies.

Expected Output:

  • Secure login mechanisms.
  • Logged and monitored database queries.
  • Regular penetration testing reports.

Relevant URLs:

References:

Reported By: Whitedevil2468 Ethicalhacking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: