How I found SQL injection vulnerability on the government organization website!

Note: Automation Failed Here But Manual Research Wins Here

Last night, while casually poking around the internet (totally not looking for trouble), I stumbled upon a government website. Curiosity kicked in and with a few well-placed SQL payloads, boom — access granted! It turns out that their database had fewer security measures than my Wi-Fi password.

Sitting with Tired and Sleepy

SQL Injection vulnerabilities remain a significant threat to web applications, and a recent security flaw in the Tamil Nadu Government portal has led to critical data exposure. This flaw allowed attackers to manipulate database queries, potentially accessing sensitive citizen information without proper authorization.

SQL Injection

Imagine gaining access to thousands of citizens’ sensitive data Confidential Drug Name and Distributors List— just by injecting a malicious SQL query. Alarming, right? That’s exactly what happened with the Tamil Nadu Government portal, where a critical SQL Injection vulnerability exposed highly confidential information to potential exploitation.

By manipulating database queries, attackers could retrieve, modify, or even delete sensitive records, posing a serious threat to data integrity and privacy. This incident underscores the urgent need for secure coding practices, regular security audits, and robust database protection to prevent such breaches.

Opening Laptop and Going to Browser (Felt Very Tired)

It all started with Recon — Can you believe it?

You Can’t Believe

How it is Started?

1️⃣ Find All Domains & Subdomains
amass enum -passive -d target.com -o subdomains.txt

2️⃣ Resolve Live Subdomains
cat subdomains.txt | httpx -silent -mc 200,403,401 -o live_subdomains.txt

3️⃣Using Nuclei which is my Best Friend [Blossom Tool]
nuclei -l live_subdomains.txt

4️⃣ But, Now Nuclei haven’t found this but my eye found it (that’s why don’t Depend on Automation)

“Now Found Login Page”

Found a Login Page

With more tired and unhappy tried to add the following as username (admin’ — \)

Suddently got pop with SQL ErrorSQL Error Da SQL ErrorRan SQL Map and the Database was Dumped

Instead of ignoring it, I:

Reported the SQL Injection vulnerability to the concerned authorities.Explained the risks of unprotected database queries.Ensured they patched the issue and secured the data.Mass Data Breach — Attackers can extract and sell sensitive citizen information.System Compromise — Malicious queries could grant full database control, leading to data manipulation or deletion.Regulatory Violations — Exposing personal data can result in legal consequences under Indian data protection laws.Official Acceptance from Cert-In Team

Cheers and peace out!

Want to Know About me more: Read Here

Want to hack More Follow Below: