.png)
1 year ago
120 BOOK THIS SPACE FOR AD
ARTICLE ADThis blog is for informational purpose only, so that emerging bug hunters could follow similar methodology and responsibly disclose the issues to the owner of the website.
The Covid-19 pandemic shifted everything from physical mode to work from home mode, therefore the schools needed their respective website where they could manage there data related to their students which include their activities, assignments, fee details etc. I won’t disclose the URL therefore will use https://ugtfdxlm.com as example.
I opened the website and started visiting various links present on there website with burp running in the background. It was mostly a static website with .html pages therefore could not find much in those pages. At the end I started the burp crawler on the domain which displayed many resources present in the website. There were some php pages now which were again not having any juicy information.
Then I saw a sub-directory that the burp crawler exposed in its result, let it be xhjc for example, therefore the URI becomes https://ugtfdxlm.com/xhjc. I opened it, and it was a php page too whose function was to take unique admission number and DOB of student as input and show the fee details related to that student. Now this is the area which seems exploitable. I entered a random admission number and DOB and submitted it which was obviously going to give me an error cz they were random. But this produced a GET request in the back-end, let that request be https://ugtfdxlm.com/xhjc?stud_id=87263&dob=2011–01–23 for example.
Seeing this kind of URL my instincts were to add tautology payload of SQLi in the request i.e. https://ugtfdxlm.com/xhjc?stud_id=87263'+oR+1=1+#&dob=2011–01–23 and submit it. The error disappeared and this confirmed me that I have got SQLi vulnerability in that website. I exploited it a bit more and I was able to dump the database of the students whose fee payment was left.
The details included the sensitive information of students such as their admission number, name, father’s name, DOB, mobile number, fee details etc.
Obviously I won’t exploit this vulnerability more because my ethics didn’t allow and won’t misuse this information too. But what else I can do with this vulnerability? A genuine question from newcomers. With this vulnerability I can now upload my own reverse shell payload to the server, get it executed and the whole server is under my control; Also if the user has the privileges of INSERT INTO command then I can insert the new rows or even update the rows such as making the fees 0 for students who have to pay the fees, but all this would be unethical. Following is the CVSS score that would have been assigned to this vulnerability:
On the same page I thought to add some HTML tags in the GET parameters such as https://ugtfdxlm.com/xhjc?stud_id=<h1>HELLO HTMLi</h1>&dob=2011–01–23 and submit it.
I was able to tamper the page content and this marks the availability of HTML injection in the webpage. Following is the CVSS score that would have been assigned to this vulnerability:
Since the URL https://ugtfdxlm.com/xhjc?stud_id=87263&dob=2011–01–23 accepts the tag therefore it should be vulnerable to the XSS vulnerability too. The URL for this becomes https://ugtfdxlm.com/xhjc?stud_id=<script>Hacked</script>&dob=2011–01–23.
The attacker can escalate this vulnerability to add his own form asking DOB and admission number of students and on submitting, the attacker can get those details in its server using javascript. The URL can be sent to the parents and they could become a victim of phishing. That’s why HTMLi and XSS are also serious vulnerabilities. The CVSS score that would have been assigned to this vulnerability:
Since I found all possible vulnerabilities related to the GET request of the URL, there were no other vulnerabilities left to be test on the domain cz the other pages were static. And since it’s a basic website therefore, for the sake of finding one more bug/misconfiguration on the website, I went for testing Click jacking on the website. Which actually worked cz the X-frame header was missing.
After finding these vulnerabilities I wrote an email to them which was present in the contacts section of the website explaining them the seriousness of cyber security and these vulnerabilities, but they didn’t reply back, otherwise I would have helped them in patching these vulnerabilities. The database that I got was having sensitive information, attacker could misuse the information for phishing purpose also since most of the parents also don’t know the concept of cyber security.
Anyways I just wanted to share that anything in the public domain which is vulnerable is at high risk, you never know which information could be misused in which manner.
Also the schools should know the seriousness of such kind of data which is prone to data breach, and should get their websites pentested before deploying it.
Bengali (Bangladesh) · 
English (United States) ·