So the other day I saw this article http://thehackernews.com/2016/05/hacker-mr-robot-season2.html on TheHackerNews and in Forbes how a hacker found a XSS vulnerability on Mr Robot Tv series official website. since I’m a big fan of the TV Series I went and look around bit . I wasn’t expecting to find any vulnerabilities but I had my burp running on side. so there was this section where we can subscribe our email and “join and be a part of the revolution” and so I did and I saw the request is going a page called “Usa_api.php” . I had put a single quote and see. Response didn’t come with any errors it just responded “Invalid E-mail Address” . Then I did “email=cc@cc.com’+and+’x’=’x” and it returned with “Access Denied“. which got me thinking maybe its vulnerable for blind SQLi

so I did some tests

true returns forbidden

false returned with Invalid E-mail Address

Since it was written PHP my best guest was it might have a MySQL backend AND Its behind a WAF but after few attempts I felt like its time for SQLMap

since it returns 403 on true . I passed –code=403 for make it easy for SQLMap

and the DB it came up with was

I reported the vulnerability (2016-05-12) to “domain.admin@nbcuni.com” .

and they responded and patched it (2016-05-14)