Post cover image

June 1, 2026

Two SQLi vulnerabilities on Reddit in February 2024

Introduction

Neemaaf

1 min read

Introduction

Hi, I'm Nima Afsharian (neemaaf), a security researcher and bug bounty hunter from Iran with a strong focus on web application security. At the time of this finding, I was 18 years old and actively hunting high-severity vulnerabilities on major platforms. This article is a cleaned-up, technical-only version of my original write-up.(https://memoryleaks.ir/two-sqli-in-reddit/)

Reconnaissance and Endpoint Discovery

Effective reconnaissance is essential. A custom Bash script was used that automates subdomain enumeration using standard methods plus two particularly effective techniques: GitHub search and DNS brute-forcing. These often surface high-value targets.

After reviewing subdomains, one stood out due to a new Reddit feature being tested. Manual enumeration of its endpoints revealed two suspicious ones:

  • getscore.php?team= — A GET endpoint that searched and returned scores based on the team parameter.
  • postscore.php — A POST endpoint that accepted parameters such as uid and team to insert data into the same scoring table.

Both endpoints were vulnerable to Time-based Blind SQL Injection.

Vulnerability Description

SQL Injection occurs when user-controlled input is concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to alter the query logic.

Detection begins by identifying areas where the application performs CRUD operations on a database. Once database interaction was confirmed on these endpoints, testing commenced.

Adding single quotes (') or double quotes (") produced no visible errors or behavioral changes, suggesting robust error handling (e.g., try-catch blocks) on the backend.

Exploitation: Time-based SQL Injection

None

Because error-based or union-based techniques were ineffective, Time-based Blind SQLi was employed. This technique infers information based on response timing.

Example Payload:

neema'XOR(if(now()=sysdate(),SLEEP(6),0))XOR'Z

Breakdown:

  • neema' — Exits the original string context.
  • XOR(if(now()=sysdate(),SLEEP(6),0)) — If the condition is true, the database sleeps for 6 seconds.
  • XOR'Z — Closes the injection cleanly and appends harmless content to avoid syntax errors.

This payload consistently produced measurable delays when the condition was met, confirming the vulnerability in both endpoints.

Important Note: Automated tools like sqlmap failed to detect this injection. The main reason was that the payloads required double nested parentheses (e.g. (( ))) to bypass Reddit's Web Application Firewall (WAF). Manual testing remains critical for blind/time-based cases in such heavily protected environments.