Mr.Robot Blind SQL Injection Vulnerability

So the other day I saw this article on TheHackerNews and in Forbes how a hacker found a XSS vulnerability on Mr Robot Tv series official website. since I’m a big fan of the TV Series I went and look around bit .  I wasn’t expecting to find any vulnerabilities but I had my burp running on side. so there was this section where we can subscribe our email and “join and be a part of the revolution” and so I did and I saw the request is going a page called “Usa_api.php”  .  I had put a single quote and see. Response didn’t come with any errors it just responded “Invalid E-mail Address” . Then I did “’+and+’x’=’x” and it returned with “Access Denied“.  which got me thinking maybe its vulnerable for blind SQLi

so I did some tests

true returns forbidden

Screen Shot 2016-05-12 at 2.43.20 PM

false returned with Invalid E-mail Address

Screen Shot 2016-05-12 at 2.43.27 PM



Since it was written PHP my best guest was it might have a MySQL backend AND Its behind a WAF but after few attempts I felt like its time for SQLMap

since it returns 403 on true . I passed –code=403 for make it easy for SQLMap

Screen Shot 2016-05-13 at 12.51.09 PM

and the DB it came up with was

Screen Shot 2016-05-13 at 3.50.17 PM

I reported the vulnerability (2016-05-12) to “” .

and they responded and patched it (2016-05-14)

Screen Shot 2016-05-14 at 8.47.13 AM



10 thoughts on “Mr.Robot Blind SQL Injection Vulnerability

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s