Zomato SQL injection

• Title: [https://reviews.zomato.com] Time-based SQL injection.
• Reported by: Samengmg.
• Bounty rewarded: $1,000.
• Web application URL: https://reviews.zomato.com.
• Description: Zomato is an online restaurant search and food discovery/delivery service through which users can research restaurants and their menus. It is a community-based platform through which users can rate restaurants as well as provide feedback about them for other users to view.

This SQL injection was a time-based SQL injection in the cookie parameter of reviews.zomato.com identified by Samengmg. It is a very simple yet peculiar kind of SQL injection that we can use as a reference in our bug bounty hunting techniques. So basically, Samengmg, while looking for uncommon anomalies, identified two strangely named cookies in the reviews web application of Zomato. The cookies were as follows:

• • Orange
  • Squeeze

Time-based blind SQL injection in the Orange cookie

As we discussed earlier as well, it is very crucial that you fuzz parameters that you find, which gives a better idea of the responses. That is exactly what the reporter did; he fuzzed both of the cookies and found out that the following payload generated a desired 10-second sleep response when incorporated into the Orange cookie:

1'=sleep(10)='1

In normal cases, a sleep command's response code is 302 which is a redirect response code, but in this case it was a 200 OK. Moving forward, the next step was to craft a payload in order to determine the database version, which was as follows:

    '=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1
    '=IF(MID(VERSION(),1,1)=5,SLEEP(10),0)='1
  

Boolean-based blind SQL injection in the Squeeze cookie

The Squeeze cookie had a Boolean-based blind SQL injection, which was also fairly simple to exploit and identify. The identification payload in the Boolean SQL injection was as follows:

1 ' or true#  
1 ' or false# 

According to my analysis, Samengmg should have exploited this vulnerability to the fullest and provided a full proof of concept so that he could have been rewarded with an increased bounty.