Hi Hackers, welcome all to this write up, After a long time from sharing write ups in medium, here is the new write up, about new tecnic, for How I able to Got Full SQL injection in a my target.

Whoami:

My name Ahmad Yussef, called in community as a7madn1, a security researcher, some information about me, I have discoverd around +15 Security Vulnerabilities At Google bug bounty program, and successfully got many Top Ranked there, and as well protected too much companies in the world from security vulnerabilities, I have a telegram channel I sometimes sharing a real write ups there my channel: https://t.me/a7madn1

So Now let's focus for simple tecnic, Many hackers don't know it or forget it when looking for Server side Injection.

I will make the write up, to be short as much, and just to give you the full information/tecnic to using it, I will don't make a lot of words, I will just gives you the useful and the simple tip.

let say my target is:

dedicated[.].com

Steps To Reproduce:

  • Found an Post request /Public/bookingAX.php
  • Contain the parameters ( task=unlockcode&lang=EN&eventnr=500&orderid=&code=500)

The Request:

None
The full request

Now I started a Manual testing for SQL Injection, with adding ' after each value of parameters , EX, (task=unlockcode&lang=de&etnr=500'&orderid=&code=500)

  • And continue my testing on each parameters
  • No Any results got by adding single quotation ' after the each parameter.
  • the response was like this always:

HTTP/1.1 200 OK Date: Friday, January 30, 2026, 16:11:19 GMT Content Type: Text/HTML Content Length: 96 Connection: Continuous Server: Apache Expiration Date: Thursday, November 19, 1981, 08:52:00 GMT Caching Control: No caching, no buffering, must re-verify Pragma: No buffering Vari: Accept encoding

{"stat":true,"msg":"Enter global action code","fields":null,"errors":null}

or msg: Permission Denied

Well , No let's test again by using some headers, many companies validation the trust to the server, by adding , (Origin, referrer) headers to the request (This headers sometimes make the hacker more trusted by the server, so the exactly what I mean, in order to the server can more trusting from who are sending the request).

Anyway, After added this two headers will be like :

  • Origin: https://dedicated[.]com
  • Referrer: https://dedicated[.]com
  • Now let's testing again the parameters by adding single quotation after each value of parameters.

Yes, as well as No any results 🤔😁.

it's same response:

None
The full response, with Permission Denied.

Let's move to more tecnic, using more headers:

the power of my header that I used, let's make a short details.

After many testing, many headers, I come from very interesting header,, it's called :

X-Requested-With: XMLHttpRequest

  • The X-Requested-With header is a non-standard HTTP header primarily used to indicate that an HTTP request was sent via Asynchronous JavaScript and XML (AJAX) from a browser,
  • X-Requested-With (XRW) is a nonstandard header. When a user installs and runs an application that uses a WebView to embed web content, the WebView will add the X-Requested-With header on every request sent to servers, with a value of the application APK name.

well I will don't add too much details about this header, you can searching about it in Google, and understand well how it work, validates and where you can add it.

But take this tips from me:

Always add this header X-Requested-With: XMLHttpRequest , when you see a payment function,booking function, event functions, and some other functions that need more information to check from the request .

Now let's move and continue the Steps:

  • Now adding X-Requested-With: XMLHttpRequest , to my original request, will be:
None
The full request with header, X-Requested-With: XMLHttpRequest
  • The response:
None
the response after adding the header, it's same first response, no problem

Now let's start again the Manual testing, by adding single quotation after each parameter and see if any parameter it's vulnerable To SQL Injection!!

  • After adding ' in value of code parameter , I saw this response 😱!!.
  • {"stat":true,"msg":"Database Error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '驌''' at line 2: select * from promouses\n\t\t\t\twhere eventnr=500 and lower(code)=驌''","fields":null,"errors":null}
  • Yeaaah, Very happy to see that!!!, Error in Database!!!, very interesting 🤔.

The full request & response:

None
Full Request, Response, after adding X-Requested-With header.
  • Now the exploitation Part, I used this payload:
  • 500' AND (SELECT 9590 FROM (SELECT(SLEEP(8)))XFQD)-- rWRS
  • Successfully worked, But of course it's not enough, let's Open Sqlmap😈, and see if there a Waf or anything to return and dumb the database!!!
  • As I thought there was retrun, 403!
  • the full bypass of the waf was via this command:
  • sqlmap -u "https://dedicated[.]com/public/bookingAX.php" --data="task=unlockcode&lang=de&eventnr=500&orderid=&code=500" --cookie="PHPSESSID=Your-Cookies" --headers="X-Requested-With: XMLHttpRequest\nReferer: https://dedicated[.]com/itsec\nOrigin: https://dedicated[.]com" -p code --level=3 --risk=3 --technique=T --dbms=mysql --time-sec=8 --batch --random-agent --threads=5 --dbs
  • Yep, you must always adding Origin, referrer header to trying bypassing the Waf.

The full exploit from sqlmap , with returns the database🫣🫣😁:

None
Full Database Access.🔥

That all Guys, I hope you enjoyed, and I did my best to make the write up, very simple and easy ,And if you are interesting to join my private channel , you can read the details here https://t.me/a7madn1/141

Thank you for Reading 🥳,

Ahmad

#bugbountytips #hacking #sql injection #sql #hackerone #bugbounty #cyberseurity #security