Hello friends, I hope you are hunting well in this pandemic. In this writeup I will tell you How I got Hall of fame. Actually, not accidental but “Observation wins”. So, without wasting time let’s get started.
As usual I was hunting on responsible programs. So, I chose Netherlands’s University as a target. I did basic recon and I started doing observation Sensitive Endpoints, How Web application works? What are the features? And where to find critical vulnerabilities.
After spending 30 minutes I found there was file upload feature where student can upload their social media’s shout app on their main domain. There was file upload validation. Extensions like jpeg, mp4, docx. I bypassed it and I can upload anything whatever I want to upload. Yes, you are right. Unrestricted File upload bug. I quickly make Proof of Concept and reported it. (29 Jun. 2020)
I got mail, They said “The page doesn’t seem to exist(anymore).” After reading this mail I visited again that web page. And guess what 404 not found.
Again, I started hunting on subdomains. And I found Error base SQL Injection. I’m feeling Happy 😊. I ran sqlmap and got Database. I took screenshot and reported it. (09 Jul. 2020)
I thought where I’m doing mistake? I think I need a break. One day I came across @adityashende’s tweet, In this tweet there is dork about CVE 2018–20824 (jira XSS).
I start working on it and try to find vulnerable jira confluence. I found one domain is vulnerable to this CVE (i.e. jira.redacted.org). Then I visited main domain redacted.org and I found my targeted university’s name in footer.
I said to myself “Okay…, let me report this first.” Then I reported it and I was like finally win!
Mail response “Thank you for the report. We are trying to inform the administrator. As this seems to be a personal project outside of our network that takes some time. In the meantime I wanted to ask whether you would like to be mentioned in our Hall of Fame.”
Tip: If you found vulnerability. Then check footer, Privacy Policy, security, etc.
Instagram: th3.d1p4k
Twitter: Dipak Panchal