.png)
21 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Hackers, Today in this write-up I am going to tell you how accidently I discovered my very first critical bug which is disclosing 3.5 lakh+ peoples PII details, database credentials, api_keys, secret keys, router information etc. Let’s go
During my penetration testing journey, I have assigned a task to submit at least 10 bugs through openbugbounty platform. So I quickly message my best friend and mentor AbhirupKonwar bhaiya because he already reported 1000+ bugs to this platform and he suggest me to use automation and I got sparked nuclei tool. If you don’t know research about this tool it is amazing.
I quickly run this tool using very basic command:
nuclei -target https://example.comNuclei give me backup-files which is basically zip file which contains full source code of the website including database files and lots of things.
After looking each and every file I found following juicy information:
After seeing this all information I am going to report this bug but there are so many more information so I think let’s look at some more database files and when I found file filename.sql which contains all sql queries which are used in the website and also contains all the user data which are inserted into the database and when I look this data around I found 3.5 lakhs+ users data including their user_id, full name, phone no, city, zip code, address, street_name, last_updated logs, and so many things.
Here in below photo I only show user_id:
Then I quickly make a full report and submitted the company through openbugbounty platform. Now let’s see how company will handle the report 🤞.
Thank you for taking the time to read my journey into discovering this critical bug! I truly appreciate your support and enthusiasm for cybersecurity.
If you found this write-up insightful, don’t forget to give it some claps and follow me for more exciting content on bug hunting, vulnerabilities, and cybersecurity insights. Let’s stay connected and continue exploring the world of security together!
Stay curious, stay safe! 😊
My other write-ups you might find helpful:
Bengali (Bangladesh) · 
English (United States) ·