Easy
150
Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!
Spatify robots.txt file discovery
After running the Burpsuite crawler, or any crawler, the crawler discovered a /robots.txt file.
The robots.txt file tells search engine crawlers which URLs the crawler can access on your site.
Content of robots.txt
Spatify's admin panel
The Spatify admin panel /superhiddenadminpanel/ can only be access via a password.
Spatify search engine
The Spatify home page / search for music based on the music name.
Default listed music
Analyze the search SQL Query
The search requires input with at least five characters.
The common word between all three music names is FEATURED. The result of FEATURED search is the same as the home page default music.
I assume the SQL Query querying is based on LIKE operator.
The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.
There are two wildcards often used in conjunction with the LIKE operator:
The percent sign (%) represents zero, one, or multiple characters
The underscore sign (_) represents one, single character
Spotify Search with SQL Wildcards
The result of FEATURE% search is the same as the home page default music, which means the query is injectable with SQL wildcards.
SQL wildcard injection
List all music records with wildcards with five percent signs %. q=%%%%%%
Content of secret_password_backup.txt.bak
https://developers.google.com/search/docs/crawling-indexing/robots/intro
https://www.w3schools.com/sql/sql_like.asp
