How I found SQL injection vulnerability on the government organization website!

Note: Automation Failed Here But Manual Research Wins Here

Last night, while casually poking around the internet (totally not looking for trouble), I stumbled upon a government website. Curiosity kicked in and with a few well-placed SQL payloads, boom — access granted! It turns out that their database had fewer security measures than my Wi-Fi password.

Sitting with Tired and Sleepy

SQL Injection in Tamil Nadu Government Portal Leads to Critical Data Exposure

SQL Injection vulnerabilities remain a significant threat to web applications, and a recent security flaw in the Tamil Nadu Government portal has led to critical data exposure. This flaw allowed attackers to manipulate database queries, potentially accessing sensitive citizen information without proper authorization.

SQL Injection

What Went Wrong?

Imagine gaining access to thousands of citizens’ sensitive data Confidential Drug Name and Distributors List— just by injecting a malicious SQL query. Alarming, right? That’s exactly what happened with the Tamil Nadu Government portal, where a critical SQL Injection vulnerability exposed highly confidential information to potential exploitation.

By manipulating database queries, attackers could retrieve, modify, or even delete sensitive records, posing a serious threat to data integrity and privacy. This incident underscores the urgent need for secure coding practices, regular security audits, and robust database protection to prevent such breaches.

Opening Laptop and Going to Browser (Felt Very Tired)

How I Got Specific Drug Management Tamil Nadu’s Portal!

It all started with Recon — Can you believe it?

You Can’t Believe

How it is Started?

1️⃣ Find All Domains & Subdomains
amass enum -passive -d target.com -o subdomains.txt

2️⃣ Resolve Live Subdomains
cat subdomains.txt | httpx -silent -mc 200,403,401 -o live_subdomains.txt

3️⃣Using Nuclei which is my Best Friend [Blossom Tool]
nuclei -l live_subdomains.txt

4️⃣ But, Now Nuclei haven’t found this but my eye found it (that’s why don’t Depend on Automation)

“Now Found Login Page”

Found a Login Page

With more tired and unhappy tried to add the following as username (admin’ — \)

Suddently got pop with SQL Error

SQL Error Da SQL Error

Next Enna SQLMap Dhan!!!

Ran SQL Map and the Database was Dumped

What I Did Next (The Ethical Way)

Instead of ignoring it, I:

1. Reported the SQL Injection vulnerability to the concerned authorities.
2. Explained the risks of unprotected database queries.
3. Ensured they patched the issue and secured the data.

Why This is a Big Deal
When government portals suffer from SQL Injection vulnerabilities, the consequences can be severe:

1. Mass Data Breach — Attackers can extract and sell sensitive citizen information.
2. System Compromise — Malicious queries could grant full database control, leading to data manipulation or deletion.
3. Regulatory Violations — Exposing personal data can result in legal consequences under Indian data protection laws.

Confirmation and Acceptance from Cert-In (Indian Cyber Incident Team)

Official Acceptance from Cert-In Team

That’s it for now.

Cheers and peace out!

Want to Know About me more: Read Here

Want to hack More Follow Below:

_.mr._domy >> Eat Well → Hack Well → Snack Well