.png)
1 year ago
58 BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone! I’m Rhythm, also known as Ryh04x, and I’m back with a new article about how I compromised the admin panel of a Indian Department Online Recruitment Portal. Let’s get started.
I’ve been working on the gov.in domains for a few days now, and I’ve discovered more than 30 moderately serious bugs. I was hoping to find a high or critical severity bug. So, during my recon phase, I used tools like crt.sh, subfinder, amass, and assetfinder to find domains. After sorting them, I went to each URL one at a time, but when I went to Target.gov.in, it caught my attention, so I decided to brute force the directory. I eventually arrived at a directory called “/wcd_official”, and when I opened it, I was shocked to see that all of the people who had applied for jobs in that department had had their private information made public in these directories.
There were more than 5000 applicants, and after further investigation and fuzzing, I discovered a php file called “access.php”. I opened it to find the department’s online recruitment admin panel, so I tried the default credentials admin:admin and “BOOMM!” I could add users, choose or reject user-submitted applications, view all users who had applied for jobs, generate bulk admit cards, and check the status of submitted applications while I was in the admin panel. So I reported urgently the vulnerability to NCIIPC Responsive Vulnerability Disclosure Program and got an Acknowledgement for the report by Government of India.
Thanks you so much for reading we’ll be back soon with another “Kadak” writeup meanwhile then Keep Hunting Happy Hacking.
If you found it informative don’t forget to follow me on social media for more interesting hacking content.
Instagram – https://www.instagram.com/rhythmxsec/
Linkedin – https://www.linkedin.com/in/ryh04x
Bengali (Bangladesh) · 
English (United States) ·