The author spent a boring evening hacking instead of rearranging their room, as they often do to avoid reality.
After performing manual recon with tools like waybackurls, katana, and gauplus, the author found many juicy URLs that returned a 403 Forbidden error.
The author used 403 bypasser tools to get around the 403 errors and discovered that the target was a Java app running on Apache Tomcat, where the backslash had to be encoded as %5c.
The author advises digging through JS files during the recon phase, as these sometimes hide valuable parameters.
The author found such parameters in the form of SelectedSources, SelectedNames, and SelectedTemplate.
The author used SQLmap to test for SQLi, and determined that it was a Boolean-based blind query with the payload selectedSources=someSources’) OR 06690=6690 OR (‘04586=‘4586.
The author also found a Time-based blind query with the payload selectedSources=someSources’) AND 4564=(SELECT 4564 FROM PG_SLEEP(6)) OR (‘04586’=‘4586.