Let me start by saying: I've notified the owner, who happens to be a well-known personality here in Mauritius. This was not some rogue hacking session. Everything has been reported.
That said, what I found was genuinely scary.
How It Started
There's a gambling website here in Mauritius. A real, live, operational betting platform handling real money. I was poking around the admin login page and noticed something. I typed a single quote ' in the username field and hit submit.
The website responded with:
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result,
boolean given in /var/www/html/include/Data.php on line 130
File paths. Line numbers. Function names. The technology stack. The website was telling me exactly where to look and what it was built with. I've been around long enough to know what that means: user input is going straight into SQL queries.
Normally, figuring out the right injection payload takes time. You try different combinations, study how the query is structured, deal with operator precedence, handle edge cases where the browser strips characters. It's tedious work.
So I did something different. I gave the error output to Claude Opus and asked it to figure out the exploit.
What Claude Found
Within one prompt, Opus analyzed the error message, inferred the query structure, and gave me the exact payload:
Username: ' OR 1=1 OR '1'='1
Password: anything
It even explained why simpler payloads wouldn't work. ' OR '1'='1 fails because AND precedence means the password still has to match. ' OR 1=1-- fails because MySQL needs a space after -- for comments. ' OR 1=1 # fails because the browser strips # as a URL fragment.
The three-part OR payload works because of SQL operator precedence. AND binds before OR, so the query becomes:
WHERE (username='') OR (1=1) OR ('1'='1' AND password='anything')
The middle condition is always true. All admin rows returned. Access granted.
I pasted the payload. Hit submit. Redirected to the full admin panel.
What Was Exposed
Outlet management (physical betting locations), a news publishing system, streams management, internal documents, site content editing, banner management, and the ability to change admin passwords.
A gambling platform. Regulated by the Mauritius Gambling Regulatory Authority. Handling real money. Wide open.
The Point
I know what SQL injection is. I noticed the ' error myself. But the part that normally takes the most time, crafting the right payload, understanding why certain variants fail, dealing with operator precedence, that took Claude Opus about 30 seconds.
What used to require an experienced penetration tester spending hours of manual work now takes one prompt to an AI model. The reconnaissance, the payload generation, the exploitation reasoning, all compressed into a single conversation turn.
This is what makes AI-assisted security testing terrifying. Not that it enables new attacks. SQL injection has been documented since the late 1990s. But it removes the skill barrier. Anyone with access to a frontier model can now do work that previously required years of experience.
The website had no CSRF protection, no security headers, no rate limiting, passwords likely stored in plaintext. The server hosts multiple other sites including five WordPress installations, any of which could be a lateral entry point. It's the full bingo card of basic security failures.
I've reported everything to the owner. What happens next is up to them.