While searching for job opportunities, I came across a vacancy posted on vacancy.example.com for a Web Penetration Tester. Naturally, I clicked on it out of curiosity.

At first glance, the website appeared outdated. The vacancy I found was posted back in 2022, and the page itself looked expired and no longer actively maintained. Since I was already there, I decided to randomly inspect what the website was built with.

I turned on my Chrome extensions and used Wappalyzer. The result showed that the application was built using PHP.

That instantly made me more curious.

Older PHP applications, especially abandoned ones, are often prone to classic web vulnerabilities. At that moment, I became excited about the possibility of finding a bug — specifically SQL Injection.

The First Test

As a quick manual check, I added a single quote (semicolon-style test) at the end of one of the URL parameters.

And boom.

The application returned a SQL error message as shown in the image below.

sql error message

That was enough to confirm my suspicion. Error messages revealing database behavior usually indicate improper input sanitization. At this point, I was fairly confident that I had discovered an SQL injection vulnerability.

Verifying with SQLMap

To further validate the issue, I opened my terminal and used SQLMap to automate the testing process.

sqlmap -u "https://vacancy.example.com/job-detail.php?catt=Information%20Technology&titleofpo=Web%20Penetration%20Tester&pdate=2022-10-30" -p pdate --batch --level=2 --risk=1

SQLMap confirmed that the pdate parameter was vulnerable to SQL injection and reported multiple exploitation techniques.

sql result

Enumerating Databases

After verifying the SQL injection, I proceeded carefully to enumerate the databases:

sqlmap -u "https://vacancy.example.com/job-detail.php?catt=Information%20Technology&titleofpo=Web%20Penetration%20Tester&pdate=2022-10-30" -p pdate --dbs

SQLMap listed multiple databases.

None

After confirming the impact, I immediately stopped further testing.

I responsibly reported the vulnerability to the company's CTO via LinkedIn, clearly explaining:

  • The vulnerable endpoint
  • The affected parameter
  • The potential risk
None
CTO response

Thankfully, the response was ethical and professional. Unfortunately, the company informed me that they do not have a bug bounty program, but they appreciated the responsible disclosure.

Follow me for more security findings from my bug hunting journey.