Unexpected Hidden Bugs!

Hello folks! How are you all? I hope you’re doing great. I’m back again with very interesting writeup I hope you’ll enjoy. So, without wasting time let’s get started.

I was hunting on private program as it is. I spent almost 2 days on the target. There was very less functionality for testing. I got common WordPress and low information disclosure bugs. And all subdomains were protected with Firewall. Now what?

recon recon recon

I thought let’s hunt on main domain. I started with Google Dorks. And I got only one result. That was Admin Panel of target.com.

I immediate registered myself and I became admin. Really? The Answer is NO. Low privilege admin member. I continued hunting on Admin Panel. While testing registration form there was OTP verification. I entered wrong OTP. And I got error “Reject: Verification Failed.” I thought there is WAF but let me try in Admin Panel. I entered XSS payload in OTP field instead of valid OTP. And I got popup. No WAF in Admin side. Interesting... I clicked on Login. And I logged in with my credentials which I entered while creating an account. That Means server is not verifying entered OTP is valid or not.

3949 is not an OTP

I told my self to “I have to dig more, It’s not enough.” And I continued testing each and every input field and observe every request and response of Admin Panel. Then I found Stored HTML Injection + Stored XSS.

Admin Panel?

Last but not least. There was something data of clients (maybe) like Name, Industry, Location, Budget, status and so on. I clicked on View Contact. And suddenly URL caught my attention. URL was ending with “php?id=3”. Yes, you are right. Why not try SQL Injection?

There is WAF mod security. And I bypassed it and I got Database Name, Banner, Version, etc. and I reported it. That’s it Folks. Thank you for reading. Take care & Happy Hunting !

Instagram: th3.d1p4k

Twitter: Dipak Panchal

Bug hunter | CCSE