How I was able to find BAC on the University website leading to result dumping?
Hi Guyz,
My name is Krishnadev P Melevila. I am a security researcher working for many startups. To know more about me, Just search me on Google.
Here I am talking about a critical vulnerability that I had spotted on a university website.
Note: This write-up will be a minimal one and all the details like the usernames I mentioned in this writeup are not the actual ones, It’s written here just for understanding purposes, as the case is very confidential.
So, Let’s talk:
I was waiting, no, the entire students were waiting for their sem results. Then suddenly on a pleasant Saturday, that news was heard that the results were announced!
Suddenly, I jumped into the university website, and came to know that it was not our result, It’s seniors!
Total disappointment!
Now, What!! I need to know my results at any cost. I did some surfing on the website. At some point, The source code got revealed accidentally (not a big deal, Just CTRL+U, but without any click) — it was due to high traffic on the website.
All of a sudden I came to see a modal called “runas” with an input field.
At that point, I wasn't sure what that actually referred to.
So, I just typed ‘a’ into that input field,and a dropdown list poped up listing the users like:
admin
adminast1
acadmeicadmin
..
..
Whaaattttttttt???
Below that input, there was a login button. I typed “asstadmin” and clicked on login.
BOOM!!!! I am logged in as “asstadmin” user!!!!
But it was a disappointment as it didn’t have any data, Just some basic reports like exam centers, valuation centers and all.
But what’s the fun without privilege escalation (Not a real priv esc)
I typed: “exam” in the input field, thinking I would get some users related to the exam and in that way, I would be able to see my result. And yes my expectations did come true.
There was a user called “examadmin” and was able to log in as him and was able to view all student’s results.
YESSSSS! I was able to see the entire university results that were uploaded to the server but not published to the public!!!!!!!
Is that enough to report?
Yes, and to maintain professionalism and ethics, I quickly reported to the University through mail and they released a patch in just 24 hours.
Now the attack is not possible.
That’s it, I know this is not your usual writeup expectation from me, but as I am dealing with highly confidential data, I can’t reveal anything more than this in the writeup.
Don’t forget to follow me on Medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!
I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
