Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (1)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
General Security Discussions
Blind Sqli big site . should i report it ?
Founde Blind Sql Injection in a site that is serving downloads and hade about 90 million of downloads in 4 months .and this are only downloads from the website directly .
My question should i report it ? could i get a reward from the owners ? or just leave it ?
Moved: General Security Discussions. If you feel you must, why not? There's nothing wrong with being a good Samaritan. You could get a reward for doing so, but I'd be careful with how you word it. You don't want them to think you are extorting/black-mailing them.
Now, if you went beyond just finding the vulnerability (i.e. dumping data, uploading a backdoor, other things of a malicious nature), I would suggest to move on with your life as you've committed a crime. Same would apply if it were a vulnerable service. It's one thing to discover a vulnerability, it's another if you actually exploit it.
In the end, the choice is yours. That's just my opinion with this topic.
while( !(succeed = try() ) );
I'm gonna disagree slightly with m0rph... depending which country your in (or in which country the server/company is located) it's illegal to do what you've done already. 'Testing' someone's infrastructure or website (anything beyond passive/non-intrusive information gathering) without specific permission can be seen as you breaking the law. Some companies just hate knowing they spend stupid amounts of cash on security or a bod to take care of security and then it's still not secure. In general, If there ever was a reasonable usage of a website I'm sure looking for injection/execution vuln's wouldn't make the list.
You might say, well you've not dumped data or anything... but you'll have gone so far to test the vulnerability. M0rph is definitely right, don't mention money at all, if they get a whiff your after cash extortion may jump to mind. If you're after cash then you should try your hand at official bug bounties.
Technically even putting an apostrophe after the url as you do in SQL Injection could be classed as breaching the Computer Misuse Act. If you like the site you could always tell them anonymously.
Add a Comment