July 11, 2026
Webverse-Pro CarCloppin
lab write-up

By 0zex
1 min read
Discovery:
— > we have a "book viewing" feature :
— > as you can see , the AI bot 'Riley' handles you your viewing based on the booking reference:
as you can see ; the bot retrieves your appointment based on your reference code ; the idea is ,the reference code is passed to a SQL / NOSQL query to fetch for matching references ,meaning our next target is trying an injection:
- as you can see ; the queries are not parameterized ,and we triggered a SQL syntax error ; based on the error format: the database is sqlite.
EXPLOIT:
- our next step is database enumeration(this write up doesn't include the full process).
→ Enumeration summary :
- the database is : sqlite
- the database returns 6 columns.
- the targeted table is : api_credentials
- the targeted column is : api_key
we've achieved our goal