Hello friends today i a going to share my find in Zameen.com which is MySQL Injection and i thing that this was the vulnerability which was used by the attacker to hack into the zameen.com server and dump the data . So lets get started.
SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.
And you can get more details on this over OWASP .
This vulnerability was first reported to them on 11/2/15 and there was no response to the email and was unattended until they got hacked here is the image of the email that i sent.
And after that i got there reply like this.
and that was it after the report there was no reply after that even though i contacted them many time for any update and the issue was not solved.
And when they were hacked then i got this reply from them which was quite a surprise for me to see this email.
Now the vulnerability was fixed after this email and i an glad they did take it seriously so enjoy the POC and do share it with your friends.
Here is the Video POC of the vulnerability.