Results 1 to 8 of 8

Thread: Blind SQL Injection in PayPal Notifications worth $3000 Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Cool Blind SQL Injection in PayPal Notifications worth $3000

    On 28th December 2012 I found a Blind SQL Injection vulnerability in the Paypal Notifications (https://www.paypal-notify.com)

    This bug allowed me to access the database of Paypal Notifications system. More details on Blind SQL Injection can be read here and exploitation tutorial by Amol Naik can be seen here



    SQLMap showing the database name after the Injection




    On 21st January Paypal Site Security Team sent the reward amount which was $3000 for the SQLi and additional $350 for other less critical bugs.

    I'm very thankful to Paypal Site Security Team for the reward and Shai Rod for additional help

    Cheers to all Garage Members
    Last edited by prakhar; 01-30-2013 at 11:27 AM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    i also reported and they said it's copy , now i know y ?

  3. #3
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Quote Originally Posted by prince_indishell View Post
    i also reported and they said it's copy , now i know y ?
    Bad luck prince_indishell . Better luck next time ! You can also start an account on Bugcrowd - Crowdsourced security testing. We run managed bug bounty programs for business. where they give you the chance to work with organizations for testing their web apps. Some have monetary prizes and some don't.
    In the world of 0s and 1s, are you a zero or The One !

  4. #4
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    Quote Originally Posted by prince_indishell View Post
    i also reported and they said it's copy , now i know y ?
    Hard Luck bro


    keep hunting, all the best
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  5. #5
    doing hunting :P

    reported 73 bugs , all duplicate or rejected :P

    also reported tons of xss on AT&T but still no reply

    reported on google , microsoft , mozila , and many more ,

    so much fad now with bug hunting , now time to learn something new

  6. #6
    it will be nice if you can comment your thoughts on my topic

    http://www.garage4hackers.com/f30/remote-root-3252.html

  7. #7
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    @prakhar keep sharing stuffs and u deserver the $$, prince_indishell no probs hard work will always be paid so keep doing what keeps u interested in.
    Hacking Is a Matter of Time Knowledge and Patience

  8. #8
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    Quote Originally Posted by prince_indishell View Post
    it will be nice if you can comment your thoughts on my topic

    http://www.garage4hackers.com/f30/remote-root-3252.html

    That's pure bad luck



    I hope you find bugs with less dups next time
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •